1 Reply Latest reply on Dec 9, 2004 11:44 AM by starksm64

How to handle extra JAAS callback

tcherel Dec 9, 2004 11:44 AM

I am currenlty "playing" around an NT JAAS login module for JBoss.

I managed to have a remote EJB client sending windows user name and password to the server via the JBoss client login module and the server authenticating the user against the windows domain.

I wanted to go one step further and pass the windows domain name as part of the login information (user, password and domain).

Obvioulsy, I can change the user name into a "domain name/user name", but I am curious to know what needs to be done to really add an extra Callback (like a TextInputCallback to ask for the windows domain) in the JBoss JAAS authentication process.

On the client side, it seems that I need to write my own ClientLoginModule to replace the default JBoss one. Is this correct?

The only other possiblity that I see is to create a client module that will be called before the JBoss one and that will create and populate a subject with the domain information. I am assuming that this subject will be passed along in the SecurityAssociation, so I can get it back on the server. Does it make sense?

On the server side, either the subject trick above is working and then I can get back the domain information in my login module, either I have to write a replacement for the SecurityAssociationHandler.

It seems a lot of work "just" to add an extra parameters to my login module. Am I missing something?

Thanks.

Thomas

1. SSLPeerUnverifiedException "Error getting client certs" jbos

starksm64 Dec 9, 2004 11:44 AM (in response to tcherel)

Basically, can not get jboss https to work.
It is not a browser issue since it can get https pages
from a vast number of website - its a jboss config issue.

Using JBoss-3.2.5

In
jboss/server/default/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml

Note: 1) if one does not set the "SSLImplementation"
then it assumse one is using the "puretsl" implementation and if
one does not have it around, then one gets a class not found issue, and
2) the attribute name MUST be "SSLImplementation", it can not be, for
example, "sslImplementation" because jboss does not match setter/getter
methods by first lower-casing both strings ... no, jboss only lower-cases
the first character of the attribute name in the xml file....

Near the top of the log, the Digester reads all of the attributes:

2004-12-06 16:45:42,036 DEBUG [BeanUtils] jboss.web:service=WebServer
EmbeddedCatalina4.1.x -
BeanUtils.populate(org.apache.coyote.tomcat4.CoyoteServerSocketFactory@48f675,
{protocol=TLS, keystorePass=tc-ssl, clientAuth=false,
SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation,
keystoreFile=/usr/local/ED/app/jboss/server/cs/conf/server.keystore,
className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory})
From the log I get:

2004-12-06 16:46:15,850 INFO [Engine] - CoyoteConnector Coyote can't register
jmx for protocol
2004-12-06 16:46:15,867 INFO [Http11Protocol] - Starting Coyote HTTP/1.1 on
port 50080
2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soLinger: -1
2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute jkHome:
/usr/local/ED/app/jboss/server/default
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute port: 50443
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute maxThreads: 20
2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute minSpareThreads: 5
2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute maxSpareThreads: 5
2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute backlog: 10
2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soLinger: -1
2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute timeout: 300000
2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute
maxKeepAliveRequests: 100
2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute
tomcatAuthentication: true
2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute compression: off
2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute address: /0.0.0.0
2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute secure: true
2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute algorithm: null
2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute keystore:
/usr/local/ED/app/jboss/server/default/conf/server.keystore
2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute randomfile:
/home/myhome/random.pem
2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute rootfile:
/home/myhome/root.pem
2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute keystoreType: JKS
2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute protocol: TLS
2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute sslImplementation:
org.apache.tomcat.util.net.jsse.JSSEImplementation
2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - Truststore = null
2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - TrustPass = tc-ssl
2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - trustType = JKS

Note that the keystore was picked up from the jboss-service.xml
file.
Also, note that the "clientAuth" was not picked up!!!!!!!

I assume that this is printed by code in the class
org/apache/coyote/tomcat4/CoyoteConnector.java:
IntrospectionUtils.setProperty(protocolHandler, "jkHome",
System.getProperty("catalina.base"));

// Set attributes
IntrospectionUtils.setProperty(protocolHandler, "port", "" + port);
IntrospectionUtils.setProperty(protocolHandler, "maxThreads",
"" + maxProcessors);
IntrospectionUtils.setProperty(protocolHandler, "minSpareThreads",
"" + minProcessors);
IntrospectionUtils.setProperty(protocolHandler, "maxSpareThreads",
"" + maxSpareProcessors);
IntrospectionUtils.setProperty(protocolHandler, "backlog",
"" + acceptCount);
IntrospectionUtils.setProperty(protocolHandler, "tcpNoDelay",
"" + tcpNoDelay);
IntrospectionUtils.setProperty(protocolHandler, "soLinger",
"" + connectionLinger);
IntrospectionUtils.setProperty(protocolHandler, "soTimeout",
"" + connectionTimeout);
IntrospectionUtils.setProperty(protocolHandler, "timeout",
"" + connectionUploadTimeout);
IntrospectionUtils.setProperty(protocolHandler, "serverSoTimeout",
"" + serverSocketTimeout);
IntrospectionUtils.setProperty(protocolHandler, "disableUploadTimeout",
"" + disableUploadTimeout);
IntrospectionUtils.setProperty(protocolHandler, "maxKeepAliveRequests",
"" + maxKeepAliveRequests);
IntrospectionUtils.setProperty(protocolHandler, "tomcatAuthentication",
"" + tomcatAuthentication);
IntrospectionUtils.setProperty(protocolHandler, "compression",
compression);
if (address != null) {
IntrospectionUtils.setProperty(protocolHandler, "address",
address);
}

// Configure secure socket factory
if (factory instanceof CoyoteServerSocketFactory) {
IntrospectionUtils.setProperty(protocolHandler, "secure",
"" + true);
CoyoteServerSocketFactory ssf =
(CoyoteServerSocketFactory) factory;
IntrospectionUtils.setProperty(protocolHandler, "algorithm",
ssf.getAlgorithm());
IntrospectionUtils.setProperty(protocolHandler, "clientauth",
ssf.getClientAuth());
IntrospectionUtils.setProperty(protocolHandler, "keystore",
ssf.getKeystoreFile());
IntrospectionUtils.setProperty(protocolHandler, "randomfile",
ssf.getRandomFile());
IntrospectionUtils.setProperty(protocolHandler, "rootfile",
ssf.getRootFile());

IntrospectionUtils.setProperty(protocolHandler, "keypass",
ssf.getKeystorePass());
IntrospectionUtils.setProperty(protocolHandler, "keytype",
ssf.getKeystoreType());
IntrospectionUtils.setProperty(protocolHandler, "protocol",
ssf.getProtocol());
IntrospectionUtils.setProperty(protocolHandler,
"sSLImplementation",
ssf.getSSLImplementation());
} else {
IntrospectionUtils.setProperty(protocolHandler, "secure",
"" + false);
}

Again, note that the "clientauth" value is not printed.

Finally, when the brower is pointed at:

https://myhost:50443/jmx-console

the following appears in the log:

2004-12-06 16:46:58,298 DEBUG [JSSE14Support] - Error getting client certs
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(DashoA12275)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:151)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:166)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1007)
at org.apache.coyote.Response.action(Response.java:226)
at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:314)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:711)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:687)
at java.lang.Thread.run(Thread.java:534)
2004-12-06 16:46:58,325 INFO [Engine] - StandardHost[localhost]: MAPPING
configuration error for request URI
2004-12-06 16:46:58,326 INFO [Engine] - StandardHost[localhost]: MAPPING
configuration error for request URI

If you do not have logging set to DEBUG, all you get is the "MAPPING"
INFO log ...

So, the Http11Processor in its "action" method is has been passed
the value "ActionCode.ACTION_REQ_SSL_CERTIFICATE".

Please, whats going on?
How does one tell jboss to look at the "clientAuth=false" attribute?

Thanks

One would think that accessing JBoss via https would be easier to configure.
Actions