2 Replies Latest reply on Feb 15, 2005 2:21 PM by john_anderson_ii

    Wrong LoginModule?

    john_anderson_ii
    john_anderson_ii Feb 14, 2005 5:03 PM

      Hello all. I'm brand new to JBoss Security and JAAS, so I'll just jump right in here.

      I have a simple application and a simple JSP. I want to secure access to the JSP based on a role. The role who should be able to access the JSP (report.jsp) is "userAdmin".

      To the jboss-web.xml I've added:

      <security-domain>java:/jaas/kickstart</security-domain>


      To the web.xml I've added: 

       <security-constraint>
 <web-resource-collection>
 <web-resource-name>HtmlAdaptor</web-resource-name>
 <description>Allow userAdmin(s) access to report.jsp
 </description>
 <url-pattern>/report.jsp</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>userAdmin</role-name>
 </auth-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Kickstart</realm-name>
 </login-config>

 <security-role>
 <role-name>userAdmin</role-name>
 </security-role>


      To the login-config.xml I've added: 
       <application-policy name="kickstart">
 <authentication>
 <login-module code="com.ccbill.kickstart.support.auth.CCBLoginModule" flag="required">
 </login-module>
 </authentication>
 </application-policy>


      The CCBLoginModule code I have added by implementing LoginModule and I'm deploying it with the application (i.e. this code is bundled in the .ear).

      When I try to access http://host:443/kickstart/report.jsp I get prompted with a standard login dialogue. However, when I OK that dialoge I don't get authenticated. After looking at the logs I discovered why: 

      2005-02-14 14:47:04,102 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /kickstart/report.jsp
2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /report.jsp --> true
2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.JAASRealm] Authenticating jboss.web admin
2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.JAASRealm] Login context created admin
2005-02-14 14:47:04,111 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=admin
2005-02-14 14:47:04,112 DEBUG [org.apache.catalina.realm.JAASRealm] Username admin NOT authenticated due to failed login
2005-02-14 14:47:04,112 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
2005-02-14 14:47:08,190 DEBUG [org.apache.coyote.http11.Http11Protocol] IOException reading request


      According to the log, specifically "[org.jboss.security.auth.spi.UsersRolesLoginModule]" that line, JBoss is still using UsersRolesLoginModule to authenticate report.jsp. I've looked into it, and it looks like this module is set to fire when the "other" security domain is invoked, but I've deployed my application to use the kickstart security domain. What am I missing in the way of configuration to make JBoss use the kickstart security domain?

      Thanks in advance for straightening me out.

      • 3078 Views
      • Tags:
        • 1. Re: Wrong LoginModule?
          john_anderson_ii
          john_anderson_ii Feb 14, 2005 7:33 PM (in response to john_anderson_ii)

          Actually, I've identified the problem, but I still dont' have a solution. It seems that every web app, inlcuding jmx-console and web-console are authenticating using the "other" entry in login-config.xml. I know this because when I comment out the " <application-policy name = "web-console">" section of the login-config.xml nothing changes. When I comment out the "<application-policy name = "other"> section I get an exception "no LoginModule found for Jboss.Web".

          What could cause jmx-console, web-console and my application to use the LoginModule in the "other" section instead of the login module specified by the <application-policy> section corresponding to their <security-domain>?

            • Actions
          • 2. Re: Wrong LoginModule?
            john_anderson_ii
            john_anderson_ii Feb 15, 2005 2:21 PM (in response to john_anderson_ii)

            I'm not sure what the problem was but every single one of the security domains was definately using the "other" entry in login-config.xml. I was 99% sure this was due to some configuration error of mine though I couldn't find it. I ended up re-installing JBoss and starting the configuration from scratch. It works like a champs now.

              • Actions