11 Replies Latest reply on Jan 29, 2007 6:17 AM by smokingapipe

    JBoss4.0 and JAAS/Login-config.xml

    unclesam

      Hi,

      in my webapp I am using JAAS for security. It references to the entry in login-config.xml and corresponds to the same name.
      When I start my application and try to login JBoss doesn't find the application policy and takes the policy "other". So I did an dirty fix and comment the "other"-tag and rename my application policy-tag to "other".

      Now it works, but is this a bug in JBoss4.0? In JBoss3.2.5 ist works fine!

      Thanks for replies!

      Markus


      jboss-web.xml:

      < jboss-web >
      < security-domain >java:/jaas/DbRealm< /security-domain >
      < /jboss-web >

      login-config.xml

      <!-- Security domains for psf framework -->
      <!-- < application-policy name = "DbRealm" >
      --> < application-policy name = "other" >
      < authentication >
      < login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
      < module-option name = "dsJndiName" >java:/psfDS< /module-option >
      < module-option name = "principalsQuery">select passwd from users where username=?< /module-option >
      < module-option name = "rolesQuery">select role, 'Roles' from userroles where username=?< /module-option >
      < /login-module >
      < /authentication >
      < /application-policy >



        • 1. Re: JBoss4.0 and JAAS/Login-config.xml
          starksm64

          Nothing has changed between 3.2.x and 4.0.x in this regard so you need to debug why the DbRealm login-config.xml entry is not being found.

          • 2. Re: JBoss4.0 and JAAS/Login-config.xml
            edikus

            I've had a similary problem. Have you found anything? Are you using Tomcat? For some reason, the ContextConfig in catalina has a null realm.
            +edi

            • 3. Re: JBoss4.0 and JAAS/Login-config.xml
              atillman

               

              "UncleSam" wrote:
              Hi,

              in my webapp I am using JAAS for security. It references to the entry in login-config.xml and corresponds to the same name.
              When I start my application and try to login JBoss doesn't find the application policy and takes the policy "other". So I did an dirty fix and comment the "other"-tag and rename my application policy-tag to "other".

              Now it works, but is this a bug in JBoss4.0? In JBoss3.2.5 ist works fine!

              Thanks for replies!

              Markus


              jboss-web.xml:

              < jboss-web >
              < security-domain >java:/jaas/DbRealm< /security-domain >
              < /jboss-web >

              login-config.xml

              <!-- Security domains for psf framework -->
              <!-- < application-policy name = "DbRealm" >
              --> < application-policy name = "other" >
              < authentication >
              < login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
              < module-option name = "dsJndiName" >java:/psfDS< /module-option >
              < module-option name = "principalsQuery">select passwd from users where username=?< /module-option >
              < module-option name = "rolesQuery">select role, 'Roles' from userroles where username=?< /module-option >
              < /login-module >
              < /authentication >
              < /application-policy >



              I am getting the same problem in 3.2.6 on Linux (works fine of Windows). It is happening for all web apps on my box including jmx-console. If I activate security on jmx-console it is using the "other" login config and not the "jmx-console" config.

              • 4. Re: JBoss4.0 and JAAS/Login-config.xml
                atillman

                Here is some more information.

                Here is my login-config.xml

                <?xml version='1.0'?>
                <!DOCTYPE policy PUBLIC
                "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                "http://www.jboss.org/j2ee/dtd/security_config.dtd">

                <!-- The XML based JAAS login configuration read by the
                org.jboss.security.auth.login.XMLLoginConfig mbean. Add
                an application-policy element for each security domain.

                The outline of the application-policy is:
                <application-policy name="security-domain-name">

                <login-module code="login.module1.class.name" flag="control_flag">
                <module-option name = "option1-name">option1-value</module-option>
                <module-option name = "option2-name">option2-value</module-option>
                ...
                </login-module>

                <login-module code="login.module2.class.name" flag="control_flag">
                ...
                </login-module>
                ...

                </application-policy>

                $Revision: 1.6 $
                -->


                <!-- Used by clients within the application server VM such as
                mbeans and servlets that access EJBs.
                -->
                <application-policy name = "client-login">

                <login-module code = "org.jboss.security.ClientLoginModule"
                flag = "required">
                </login-module>

                </application-policy>

                <!-- Security domain for JBossMQ -->
                <application-policy name = "jbossmq">

                <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                flag = "required">
                <module-option name = "unauthenticatedIdentity">guest</module-option>
                <module-option name = "dsJndiName">java:/jdbc/JMSPool</module-option>
                <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
                <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
                </login-module>

                </application-policy>

                <!-- Security domains for testing new jca framework -->
                <application-policy name = "HsqlDbRealm">

                <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                flag = "required">
                <module-option name = "principal">sa</module-option>
                <module-option name = "userName">sa</module-option>
                <module-option name = "password"></module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                </login-module>

                </application-policy>

                <application-policy name = "FirebirdDBRealm">

                <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                flag = "required">
                <module-option name = "principal">sysdba</module-option>
                <module-option name = "userName">sysdba</module-option>
                <module-option name = "password">masterkey</module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
                </login-module>

                </application-policy>

                <application-policy name = "JmsXARealm">

                <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                flag = "required">
                <module-option name = "principal">guest</module-option>
                <module-option name = "userName">guest</module-option>
                <module-option name = "password">guest</module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
                </login-module>

                </application-policy>

                <!-- A template configuration for the jmx-console web application. This
                defaults to the UsersRolesLoginModule the same as other and should be
                changed to a stronger authentication mechanism as required.
                -->
                <application-policy name = "jmx-console">

                <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                flag = "required">
                <module-option name="usersProperties">jmx-console-users.properties</module-option>
                <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
                </login-module>

                </application-policy>

                <!-- A template configuration for the web-console web application. This
                defaults to the UsersRolesLoginModule the same as other and should be
                changed to a stronger authentication mechanism as required.
                -->
                <application-policy name = "web-console">

                <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                flag = "required" />

                </application-policy>

                <!-- The default login configuration used by any security domain that
                does not have a application-policy entry with a matching name
                -->
                <!-- <application-policy name = "other">

                <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
                flag = "required" />

                </application-policy> -->



                And here is my jboss-web for jmx-console.

                <jboss-web>
                <security-domain>java:/jaas/jmx-console</security-domain>
                </jboss-web>

                Now, I have changed the username and password in "jmx-console-users.properties" but not in the "user.properties" file in the conf directory. If I use the username and password in "jmx-console-users.properties" the login fails, but if I use the one in "user.properties" it succeeds. Furthermore, if I remove the "other" configuration from login-config.xml and go back to jmx-console, and error is logged with the message "No LoginModules configured for jboss.web". It seems that it cannot find the configuration "jmx-console". In this case you cannot login at all.

                • 5. Re: JBoss4.0 and JAAS/Login-config.xml
                  yakup

                  I have the same problem and i didn't found why UsersRolesLoginModule is used by default !!

                  Any help will be appreciated.

                  • 6. Re: JBoss4.0 and JAAS/Login-config.xml
                    ddkilzer

                    You appear to be missing the root nodes in your login-config.xml document, as defined in the DTD:

                    http://www.jboss.org/j2ee/dtd/security_config.dtd

                    Dave

                    • 7. Re: JBoss4.0 and JAAS/Login-config.xml
                      eschulma

                      I have the identical problem with JBoss 4.0.4, and I do have the correct DTD. The only way I can get JBoss to see my application policy is if I call it jboss.web in login-config.xml -- I noticed that I get a message

                      [JAASRealm] Set JAAS app name jboss.web


                      every time I start my app.

                      Trying to do things the "right" way, I have for my login-config.xml:

                      <?xml version='1.0'?>
                      <!DOCTYPE policy PUBLIC
                       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
                      
                      <!-- The XML based JAAS login configuration read by the
                      org.jboss.security.auth.login.XMLLoginConfig mbean. Add
                      an application-policy element for each security domain.
                      
                      The outline of the application-policy is:
                      <application-policy name="security-domain-name">
                       <authentication>
                       <login-module code="login.module1.class.name" flag="control_flag">
                       <module-option name = "option1-name">option1-value</module-option>
                       <module-option name = "option2-name">option2-value</module-option>
                       ...
                       </login-module>
                      
                       <login-module code="login.module2.class.name" flag="control_flag">
                       ...
                       </login-module>
                       ...
                       </authentication>
                      </application-policy>
                      
                      -->
                      
                      <policy>
                       <!-- Used by clients within the application server VM such as
                       mbeans and servlets that access EJBs.
                       -->
                       <application-policy name = "client-login">
                       <authentication>
                       <login-module code = "org.jboss.security.ClientLoginModule"
                       flag = "required">
                       <!-- Any existing security context will be restored on logout -->
                       <module-option name="restore-login-identity">true</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      
                       <!-- Security domain for JBossMQ -->
                       <application-policy name = "jbossmq">
                       <authentication>
                       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                       flag = "required">
                       <module-option name = "unauthenticatedIdentity">guest</module-option>
                       <module-option name = "dsJndiName">java:/DefaultDS</module-option>
                       <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
                       <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      
                       <!-- Security domain for JBossMQ when using file-state-service.xml
                       <application-policy name = "jbossmq">
                       <authentication>
                       <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
                       flag = "required">
                       <module-option name = "unauthenticatedIdentity">guest</module-option>
                       <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                       -->
                      
                       <!-- Security domains for testing new jca framework -->
                       <application-policy name = "HsqlDbRealm">
                       <authentication>
                       <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                       flag = "required">
                       <module-option name = "principal">sa</module-option>
                       <module-option name = "userName">sa</module-option>
                       <module-option name = "password"></module-option>
                       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      
                       <application-policy name = "JmsXARealm">
                       <authentication>
                       <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                       flag = "required">
                       <module-option name = "principal">guest</module-option>
                       <module-option name = "userName">guest</module-option>
                       <module-option name = "password">guest</module-option>
                       <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      
                       <!-- A template configuration for the jmx-console web application. This
                       defaults to the UsersRolesLoginModule the same as other and should be
                       changed to a stronger authentication mechanism as required.
                       -->
                       <application-policy name = "jmx-console">
                       <authentication>
                       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                       flag = "required">
                       <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
                       <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      
                       <!-- A template configuration for the web-console web application. This
                       defaults to the UsersRolesLoginModule the same as other and should be
                       changed to a stronger authentication mechanism as required.
                       -->
                       <application-policy name = "$webConsoleDomain">
                       <authentication>
                       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                       flag = "required">
                       <module-option name="usersProperties">web-console-users.properties</module-option>
                       <module-option name="rolesProperties">web-console-roles.properties</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      
                       <!-- A template configuration for the JBossWS web application (and transport layer!).
                       This defaults to the UsersRolesLoginModule the same as other and should be
                       changed to a stronger authentication mechanism as required.
                       -->
                       <application-policy name="JBossWS">
                       <authentication>
                       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                       flag="required">
                       <module-option name="usersProperties">props/jbossws-users.properties</module-option>
                       <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
                       <module-option name="unauthenticatedIdentity">anonymous</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      
                       <!-- The default login configuration used by any security domain that
                       does not have a application-policy entry with a matching name
                       -->
                       <application-policy name = "other">
                       <!-- A simple server login module, which can be used when the number
                       of users is relatively small. It uses two properties files:
                       users.properties, which holds users (key) and their password (value).
                       roles.properties, which holds users (key) and a comma-separated list of
                       their roles (value).
                       The unauthenticatedIdentity property defines the name of the principal
                       that will be used when a null username and password are presented as is
                       the case for an unuathenticated web client or MDB. If you want to
                       allow such users to be authenticated add the property, e.g.,
                       unauthenticatedIdentity="nobody"
                       -->
                       <authentication>
                       <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
                       flag = "required" />
                       </authentication>
                       </application-policy>
                      
                       <!-- Security domain for WebApp. It must be called jboss.web until I figure this out... -->
                       <application-policy name = "webappDomain">
                       <authentication>
                       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                       flag = "required">
                       <module-option name = "dsJndiName">java:jdbc/web</module-option>
                       <module-option name = "principalsQuery">select password from Users where username=?</module-option>
                       <module-option name = "rolesQuery">select Role, 'Roles' from Roles where username=?</module-option>
                       <module-option name = "unauthenticatedIdentity">guest</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      </policy>
                      


                      where webappDomain is the one I'm interested in.

                      I notice that most of the application policies here are not bound into JNDI java:jaas (as shown by JNDIView) the way I would expect. In fact, the only ones I see are HsqlDbRealm, jbossmq, JmsXARealm, and (strangely) a java:jaas *under* the jaas branch.

                      For completeness, here is jboss-web.xml as well:

                      <?xml version="1.0" encoding="UTF-8"?>
                      <jboss-web>
                       <security-domain>java:jaas/webappDomain</security-domain>
                       <context-root>/web</context-root>
                       <!-- Setup by JBoss container instead.
                       <resource-ref>
                       <res-ref-name>jdbc/web</res-ref-name>
                       <res-type>javax.sql.DataSource</res-type>
                       <jndi-name>java:jdbc/web</jndi-name>
                       </resource-ref>
                       -->
                      </jboss-web>
                      


                      I have also tried editing jboss.xml, though I am not actually using this for EJBs yet. I package everything in an EAR.

                      <?xml version="1.0" encoding="UTF-8"?>
                      <jboss>
                       <security-domain>java:jaas/webappDomain</security-domain>
                      
                       <!-- Sets default container configuration for all entity beans -->
                       <container-configurations>
                       <container-configuration>
                       <!--
                       <container-name>Standard CMP 2.x EntityBean</container-name>
                       -->
                       <container-name>Standard CMP 2.x EntityBean with cache invalidation</container-name>
                       <!-- Commit option A is already present for certain container configs -->
                       <commit-option>A</commit-option>
                       <!-- There are issues with cache invalidation and custom primary key classes. -->
                       <cache-invalidation>true</cache-invalidation>
                       <cache-invalidation-config>
                       <invalidation-group-name>webGroup</invalidation-group-name>
                       </cache-invalidation-config>
                       </container-configuration>
                       </container-configurations>
                      
                       <enterprise-beans>
                       <entity>
                       <ejb-name>AccountCategoryPricing</ejb-name>
                       <read-only>True</read-only>
                       </entity>
                       <entity>
                       <ejb-name>ProductData</ejb-name>
                       <read-only>True</read-only>
                       </entity>
                       </enterprise-beans>
                      </jboss>
                      


                      Any help would be appreciated.

                      • 8. Re: JBoss4.0 and JAAS/Login-config.xml
                        eschulma

                        As usual, after banging my head so long that I finally decide to post, the solution comes shortly afterward.

                        The main problem appears to have been that I had commented out some lines in the Tomcat SAR server.xml that refer to JAAS when JBoss was first installed, over 6 months ago. Not sure *why* I did that to begin with, but reverting back basically solved the problem, at least with respect to the web side of things.

                        It looks as though the security domain is first loaded into JNDI when an attempt is made to access the restricted web pages.

                        However, it still does not work for EJBs -- if I refer to the security domain in jboss.xml, the EJB deployments fail with the message "Unable to find security domain." Presumably though this is a dependency issue, and will be easier to solve (I hope).

                        • 9. Re: JBoss4.0 and JAAS/Login-config.xml
                          eschulma

                          And the final fix -- I should have put

                          java:/jaas/webappDomain


                          in jboss.xml rather than

                          java:jaas/webappDomain


                          Both forms actually work for jboss-web.xml, which is a little surprising.

                          Hope this helps someone.

                          • 10. Re: JBoss4.0 and JAAS/Login-config.xml
                            eschulma

                            I decided I should go a little further with this and check that the EJB security domain worked as expected rather than defaulting to "other", even though we aren't using EJB permissions yet.

                            It turns out the steps outlined previously work for securing the web pages of the app -- but to have the EJB security domain work as expected, in jboss.xml I need

                            <security-domain>webappDomain</security-domain>
                            


                            rather than the expected

                            <security-domain>java:/jaas/webappDomain</security-domain>
                            


                            I think this might explain problems like this:

                            http://forum.java.sun.com/thread.jspa?threadID=773530

                            Since this is contrary to the documentation, I would consider this a serious bug. I will open a JIRA case (though I don't have a good simple test case, I'm afraid.) I am running in clustered mode, could that possibly have anything to do with it?

                            • 11. Re: JBoss4.0 and JAAS/Login-config.xml
                              smokingapipe

                              I ran into exactly the same maddenning problem, and came to the same conclusion: do not use java:/jaas in your security-domain in the beans jar. Use just the local part of the name. Kinda crazy getting this stuff to work sometimes.