2 Replies Latest reply on Aug 5, 2005 2:44 AM by peterbuus

    Extra call of LoginModule

    peterbuus
    peterbuus Aug 3, 2005 10:05 AM

      Hi

      jboss 4.0.2

      I have written a custom LoginModule with a custom CallbackHandler, which I use to create a stateful session EJB.
      When my http session times out I would like to remove this EJB.
      Thus I have saved the actual callbackHandler in the http session and made a SessionListener:
      public void valueUnbound(HttpSessionBindingEvent event) {
      javax.security.auth.login.LoginContext loginContext = new
      javax.security.auth.login.LoginContext("tdc",
      savedCallbackHandler());
      loginContext.login();
      System.out.println("Logged in again");
      savedEjbHandle.remove();
      System.out.println("Cleaned up session");
      }


      In the console log I can see that the sessionListener does a successful login using the savedCallbackHandler, but the subsequent call to
      savedEjbHandle.remove somehow initiates an extra call to my LoginModule with a callbackHandler with no information, ie username and credentials are not available.
      Any ideas?

      /Peter



      The stacktrace of the extra LoginModule call follows:

      15:39:07,094 DEBUG [LogInterceptor] SecurityException in method: public abstract void javax.ejb.EJBObject.remove() throws java.rmi.RemoteException,javax.ejb.RemoveException:
      javax.security.auth.login.LoginException: Username not supplied.
      at dk.certifikat.jboss.security.CertLoginModule.getUserName(CertLoginModule.java:153)
      at dk.certifikat.jboss.security.CertLoginModule.login(CertLoginModule.java:83)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:483)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:425)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:251)
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:180)
      at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:129)
      at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:185)
      at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:48)
      at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:105)
      at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:153)
      at org.jboss.ejb.plugins.TxInterceptorBMT.invoke(TxInterceptorBMT.java:62)
      at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSessionInstanceInterceptor.java:297)
      at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:192)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
      at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624)
      at org.jboss.ejb.Container.invoke(Container.java:873)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
      at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155)
      at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104)
      at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:179)
      at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:165)
      at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
      at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55)
      at org.jboss.proxy.ejb.StatefulSessionInterceptor.invoke(StatefulSessionInterceptor.java:106)
      at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86)
      at $Proxy61.remove(Unknown Source)
      at infra.servlet.SessionListener.valueUnbound(SessionListener.java:54)
      at org.apache.catalina.session.StandardSession.removeAttributeInternal(StandardSession.java:1595)
      at org.apache.catalina.session.StandardSession.expire(StandardSession.java:727)
      at org.apache.catalina.session.StandardSession.isValid(StandardSession.java:567)
      at org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:655)
      at org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:640)
      at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1283)
      at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1568)
      at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1577)
      at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1577)
      at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1557)
      at java.lang.Thread.run(Thread.java:534)
      15:39:07,094 INFO [STDOUT] java.rmi.AccessException: SecurityException; nested exception is:
      javax.security.auth.login.LoginException: Username not supplied.
      15:39:07,094 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:370)
      15:39:07,094 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:196)
      15:39:07,094 INFO [STDOUT] at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
      15:39:07,094 INFO [STDOUT] at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624)
      15:39:07,094 INFO [STDOUT] at org.jboss.ejb.Container.invoke(Container.java:873)
      15:39:07,094 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      15:39:07,094 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      15:39:07,094 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      15:39:07,094 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:324)
      15:39:07,094 INFO [STDOUT] at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      15:39:07,094 INFO [STDOUT] at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      15:39:07,094 INFO [STDOUT] at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
      15:39:07,094 INFO [STDOUT] at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
      15:39:07,094 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
      15:39:07,094 INFO [STDOUT] at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155)
      15:39:07,094 INFO [STDOUT] at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104)
      15:39:07,094 INFO [STDOUT] at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:179)
      15:39:07,094 INFO [STDOUT] at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:165)
      15:39:07,094 INFO [STDOUT] at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
      15:39:07,094 INFO [STDOUT] at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55)
      15:39:07,094 INFO [STDOUT] at org.jboss.proxy.ejb.StatefulSessionInterceptor.invoke(StatefulSessionInterceptor.java:106)
      15:39:07,094 INFO [STDOUT] at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86)
      15:39:07,094 INFO [STDOUT] at $Proxy61.remove(Unknown Source)
      15:39:07,094 INFO [STDOUT] at infra.servlet.SessionListener.valueUnbound(SessionListener.java:54)
      15:39:07,094 INFO [STDOUT] at org.apache.catalina.session.StandardSession.removeAttributeInternal(StandardSession.java:1595)
      15:39:07,094 INFO [STDOUT] at org.apache.catalina.session.StandardSession.expire(StandardSession.java:727)
      15:39:07,094 INFO [STDOUT] at org.apache.catalina.session.StandardSession.isValid(StandardSession.java:567)
      15:39:07,094 INFO [STDOUT] at org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:655)
      15:39:07,094 INFO [STDOUT] at org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:640)
      15:39:07,104 INFO [STDOUT] at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1283)
      15:39:07,104 INFO [STDOUT] at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1568)
      15:39:07,104 INFO [STDOUT] at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1577)
      15:39:07,104 INFO [STDOUT] at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1577)
      15:39:07,104 INFO [STDOUT] at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1557)
      15:39:07,104 INFO [STDOUT] at java.lang.Thread.run(Thread.java:534)
      15:39:07,104 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException:
      Username not supplied.
      15:39:07,104 INFO [STDOUT] at dk.certifikat.jboss.security.CertLoginModule.getUserName(CertLoginModule.java:153)
      15:39:07,104 INFO [STDOUT] at dk.certifikat.jboss.security.CertLoginModule.login(CertLoginModule.java:83)
      15:39:07,104 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      15:39:07,104 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      15:39:07,104 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      15:39:07,104 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:324)
      15:39:07,104 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
      15:39:07,104 INFO [STDOUT] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
      15:39:07,104 INFO [STDOUT] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
      15:39:07,104 INFO [STDOUT] at java.security.AccessController.doPrivileged(Native Method)
      15:39:07,104 INFO [STDOUT] at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
      15:39:07,104 INFO [STDOUT] at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
      15:39:07,104 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:483)
      15:39:07,104 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:425)
      15:39:07,104 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:251)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:180)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:129)
      15:39:07,104 INFO [STDOUT] at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:185)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:48)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:105)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:153)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.TxInterceptorBMT.invoke(TxInterceptorBMT.java:62)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSessionInstanceInterceptor.java:297)
      15:39:07,104 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:192)
      15:39:07,104 INFO [STDOUT] ... 34 more

      • 4482 Views
      • Tags:
        • 1. Re: Extra call of LoginModule
          starksm64
          starksm64 Aug 4, 2005 9:15 PM (in response to peterbuus)

          What in this call stack should be establishing the security context of the caller? Its not going to be the web container as there is no security context for a session expiration callback.

            • Actions
          • 2. Re: Extra call of LoginModule
            peterbuus
            peterbuus Aug 5, 2005 2:44 AM (in response to peterbuus)

            I found the cause of the error:

            Always remember to include
            <login-module code="org.jboss.security.ClientLoginModule" flag="required"></login-module>
            in your login.conf when accessing ejb's from external clients.
            This is somehow done automatically when the logincontext is established thru http invocation.

            Maybe the documentation should be more explicit about that.

            /Peter

              • Actions