7 Replies Latest reply on Oct 28, 2004 4:53 PM by starksm64

    JBoss 3.2.5 -> 4.0.0 migration, principal=null

    daborg

      Hi,

      I'm attempting to migrate from JBoss 3.2.5 to 4.0.0, and I'm having a problem with authentication.

      I'm running my application in the "standard" configuration to get backwards compatibility. I have downloaded the tomcat50 roles patch.

      I have a webapp inside an ear which is using form-based authentication. JAAS is set up to use the basic users/roles properties files. When the webapp attempts to call the EJBs, I get a principal=null exception.

      I know that the principal is successfully defined in the webapp, as the login succeeds and I have a servlet filter which prints the principal's name before failing to call the EJB.

      This worked fine in 3.2.5.

      Could you give me some suggestions? How would I go about debugging this kind of thing?

      Thanks,

      Daniel

        • 1. Re: JBoss 3.2.5 -> 4.0.0 migration, principal=null
          starksm64

          1. Post a bug to sourceforge with the ear example
          2. Enable trace level logging on the org.jboss.security category name to see what is going on.

          • 2. Re: JBoss 3.2.5 -> 4.0.0 migration, principal=null
            daborg

            Enabling trace gave me more information:

            > [UsersRolesLoginModule] Bad password for username=null

            After playing around a bit, it appears that this is something to do with the redirect happening after the form based authentication succeeds. What I've found is that it works just fine _after_ you've logged in.

            What appears to happen is that the form-based login succeeds, then tomcat redirects to the original request. That request then fires off a servlet filter which finds it has a remoteUser, grabs the session, and makes a call to an EJB. That call to the EJB apparantly doesn't propagate the security context, as the username is null (as noted above). Also, on the next request, a NEW session is present in the filter and the call to the EJB succeeds. Subsequent to that, everything works just fine.

            I can't upload the EAR (for commercial reasons), but if I find the time I might create a stripped down version which demonstrates the problem. Shouldn't really be hard though, all you need is a webapp with form-based authentication and a servlet filter which calls a stateless session bean if it has a remoteUser. Set this up to use the "other" security realm and I would expect it to fail like above.

            The only thing I can find in the tomcat release notes for 5.0.28 which seems even remotely relevant is this:

            > 30602: Subject is not available during the first call to the servlet which use the basic authentication (jfarcand)
            > 29406: Made JAASRealm configurable as to whether it should use the context ClassLoader or the default ClassLoader by adding a useContextClassLoader boolean attribute. (yoavs)

            ... which doesn't really help me much.

            Do you have any further suggestions as to how I can debug this?

            Thanks,

            Daniel

            • 3. Re: JBoss 3.2.5 -> 4.0.0 migration, principal=null
              bobbyjboss

              I have come across the same issue. I have three applications I am moving from jboss 3.2.3 to 4.0. Two work fine but the third fails a checkconstraint immediately on login. When I refresh the page everything works as it should. This confirms the behavor the previous saw.

              The three applications are very similar so I have not yet determined why some should work and others fail like this.

              All these applications have a similar home.jsp which contains tags that make the same ejb calls.

              I have the patched tomcat for 4.0 and see this on linux and windows
              java version "1.4.2_05"
              Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-b04)
              Java HotSpot(TM) Client VM (build 1.4.2_05-b04, mixed mode)


              stack trace is

              14:25:03,370 ERROR [SecurityInterceptor] Authentication exception, principal=null
              14:25:03,370 ERROR [LogInterceptor] EJBException in method: public abstract cc.cmusa.favorites.ejb.NavigationManager cc.cmusa.favorites.ejb.NavigationManagerHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException, causedBy:
              java.lang.SecurityException: Authentication exception, principal=null
              at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)
              at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:96)
              at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
              at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
              at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613)
              at org.jboss.ejb.Container.invoke(Container.java:876)
              at sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              at java.lang.reflect.Method.invoke(Method.java:324)
              at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
              at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
              at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
              at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:242)
              at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
              at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155)
              at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104)
              at org.jboss.invocation.MarshallingInvokerInterceptor.invoke(MarshallingInvokerInterceptor.java:55)
              at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
              at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55)
              at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:169)
              at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86)
              at $Proxy1159.create(Unknown Source)
              at cc.cmusa.favorites.web.FavoritesListCache.setupFavorites(FavoritesListCache.java:67)
              at cc.cmusa.favorites.web.PrintFavoritesTag.doEndTag(PrintFavoritesTag.java:27)
              at org.apache.jsp.secure.header_jsp._jspx_meth_cmusa_print$1favorites_0(header_jsp.java:308)
              at org.apache.jsp.secure.header_jsp._jspx_meth_cmusa_if$1header_2(header_jsp.java:284)
              at org.apache.jsp.secure.header_jsp._jspx_meth_cmusa_header$1holder_0(header_jsp.java:113)
              at org.apache.jsp.secure.header_jsp._jspService(header_jsp.java:57)
              at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
              at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:704)
              at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:590)
              at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:510)
              at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:966)
              at org.apache.jsp.secure.home_jsp._jspService(home_jsp.java:63)
              at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
              at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:704)
              at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:474)
              at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:409)
              at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312)
              at cc.cmusa.web.controller.Controller.process(Controller.java:238)
              at cc.cmusa.web.controller.Controller.doGet(Controller.java:209)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
              at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:704)
              at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:474)
              at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:409)
              at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312)
              at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:670)
              at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:637)
              at org.apache.jsp.secure.index_jsp._jspService(index_jsp.java:43)
              at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
              at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:75)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
              at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
              at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:66)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
              at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:169)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
              at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
              at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
              at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
              at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
              at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
              at java.lang.Thread.run(Thread.java:534)


              • 4. Re: JBoss 3.2.5 -> 4.0.0 migration, principal=null
                starksm64

                I'm still looking for a bug report on sourceforge with either a testcase or trace level log on the org.jboss.security category name.

                • 5. Re: JBoss 3.2.5 -> 4.0.0 migration, principal=null
                  bobbyjboss

                  Logged bug # 1040200 on sourceforge

                  Bug report also provides work-around

                  • 6. Re: JBoss 3.2.5 -> 4.0.0 migration, principal=null
                    schmidts

                    Hi,

                    I'm trying to update from JBoss 3.2.4 to 3.2.6 and I experience the same problem. (At least I think so at this moment)

                    Before producing length details, I just wanted to check whether this bug might also exist in 3.2.6. Bug #1040200 says that it's been fixed on the JBoss-4 branch. What about 3.2.6?

                    TIA

                    Stefan

                    • 7. Re: JBoss 3.2.5 -> 4.0.0 migration, principal=null
                      starksm64

                      Bug 1040200 does not apply to 3.2.6.