1 Reply Latest reply on Jul 21, 2005 7:06 AM by ahardy66

Can't load user roles

michel.bertrand Jul 18, 2005 4:33 PM

Hi !

I'm using JBoss + Customized JAAS Module. I tried twice, once extending LoginModule directly and then AbstractServerLoginModule. In both cases I have my modules running. They initialize, login and commit.

But when I access a protected URI my application always fail with an unauthorized error although I have loaded all user roles needed.

My login should allow access to any user of role "Teste". Check the code bellow, it's part of my LoginModule class, it is extending AbstractServerLoginModule:

/**
 * @see javax.security.auth.spi.LoginModule#login()
 */
 public boolean login() throws LoginException {
 System.out.println("Login do Modulo TestLoginModule.");

 char[] password = null;

 Callback[] callbacks = new Callback[2];
 callbacks[0] = new NameCallback("Usuário: ");
 callbacks[1] = new PasswordCallback("Senha: ", false);

 try {
 callbackHandler.handle(callbacks);
 this.username = ((NameCallback)callbacks[0]).getName();
 char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
 if (tmpPassword == null) {
 // treat a NULL password as an empty password
 tmpPassword = new char[0];
 }
 password = new char[tmpPassword.length];
 System.arraycopy(tmpPassword, 0,
 password, 0, tmpPassword.length);
 ((PasswordCallback)callbacks[1]).clearPassword();
 } catch (java.io.IOException ioe) {
 throw new LoginException(ioe.toString());
 } catch (UnsupportedCallbackException uce) {
 throw new LoginException("Erro: " + uce.getCallback().toString() +
 " nao foi possivel obter as informacoes do usuario.");
 }

 System.out.println("Username = "+ this.username);
 System.out.println("Password = "+ new String(password));

 try {
 this.principal = super.createIdentity(username);
 } catch (Exception e) {
 System.out.println("Erro ao criar principal para o usuario: "+ username);
 System.out.println("Mensagem : "+ e.getMessage());
 return false;
 }

 return true;
 }

 /**
 * @see javax.security.auth.spi.LoginModule#commit()
 */
 public boolean commit() throws LoginException {
 System.out.println("Commit.");
 if (this.principal == null){
 return false;
 }

 super.subject.getPrincipals().add(this.principal);
 Principal teste = new Teste("Teste");
 super.subject.getPrincipals().add(teste);

 this.roleSets = new Group[2];
 this.roleSets[0] = super.createGroup("Roles",super.subject.getPrincipals());
 this.roleSets[1] = super.createGroup("CallerPrincipal",super.subject.getPrincipals());

 return true;
 }

 /**
 * @see org.jboss.security.auth.spi.AbstractServerLoginModule#getIdentity()
 */
 protected Principal getIdentity() {
 return this.principal;
 }

 /**
 * @see org.jboss.security.auth.spi.AbstractServerLoginModule#getRoleSets()
 */
 protected Group[] getRoleSets() throws LoginException {
 return this.roleSets;
 }

I have only one security role called "Teste" in my deploy descriptor and a security constraint allowing access only for users of "Teste" role for my application. Since "Teste" role is loaded for all users, everybody should have access.

Did a miss something ? What's wrong ? Why Http status 403 - Access Denied ?

Thanks in advance !
Michel.

1. Re: Can't load user roles

ahardy66 Jul 21, 2005 7:06 AM (in response to michel.bertrand)

Michel,
I had a similar problem about a year ago with v3.2.5. I don't know if it is the same problem, or if the solution is still valid - I am currently unable to get JAAS working in JBoss 4 at the moment. Here is the code I have:

I have this.roles as a member variable arraylist which I fill earlier.

protected Group[] getRoleSets()
 throws LoginException
 {
 if (this.roles == null)
 throw new LoginException("null roles!");
 log.trace("getRoleSets() returning "
 + this.roles.toString());
 Group groups[] = new Group[1];
 Set principals = super.subject.getPrincipals();
 if (principals == null)
 throw new LoginException("principals == null!");
 // next line creates NestedGroup - tomcat doesn't see it
 // groups[0] = super.createGroup("Roles", principals);
 // next 2 lines instead of JBoss superclass:
 groups[0] = new SimpleGroup("Roles");
 principals.add(groups[0]);
 for (int x = 0; x < roles.size(); x++)
 {
 GargantusRole role = (GargantusRole) this.roles.get(x);
 groups[0].addMember(new NestablePrincipal(role.getName()));
 }
 log.trace("adding our roles to subject");
 return groups;
 }

If you put logging statements in your current class, I think you will find that your roles are just disappearing, so using the above to override should help.