6 Replies Latest reply on Aug 17, 2005 10:30 AM by shin.tai

    Basic Auth not propogating Security

    shin.tai

      Hi all,

      I'm porting an application to JBoss that uses basic authentication. I have classes that are exposed as webservices; they implement the Remote and the ServiceLifecycle interfaces. From here I need to pull the username and password from the Authorization header and do some 'manual' validation.

      I wrote a simple application to test and it works just fine. I generate a client from the wsdl, make the call with an Authorization header set and I get a response back.

      My jboss-web.xml

      <jboss-web>
      <security-domain>java:/jaas/mymail</security-domain>
      </jboss-web>


      My web.xml

      <servlet>
      <servlet-name>MailServlet</servlet-name>
      <servlet-class>org.mytest.impl.CheckMail</servlet-class>
      </servlet>
      
      <servlet-mapping>
      <servlet-name>MailServlet</servlet-name>
      <url-pattern>/check</url-pattern>
      </servlet-mapping>
      
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>mymail</realm-name>
      </login-config>


      And my code in CheckMail.java

      Object a = SecurityAssociation.getCredential();
       Object b = SecurityAssociation.getPrincipal();
      
       System.err.println("credential " + a);
       System.err.println("principal " + b); //SimplePrinciple obj
      


      And that works just fine. But I when I apply the changes to my application the credential and principal objects are null. I attached a debugger to SecurityAssociation to see if they were being cleared but it looked like the set methods weren't being called at all. I realise it's difficult to say what's going on without showing the actual application being ported but any help about where I should start look would be appreciated.

      I wasn't involved in the installation of jboss so it's possible there's a constraint set somewhere on the application preventing it from propogating the details over but not for my test application which was deployed in the same server instance.

      Many Thanks

        • 1. Re: Basic Auth not propogating Security
          shin.tai

          Ahh I forgot to mention in my web.xml, I also have

          <security-constraint>
           <web-resource-collection>
           <web-resource-name>anything</web-resource-name>
           <url-pattern>/*</url-pattern>
           </web-resource-collection>
          </security-constraint>




          • 2. Re: Basic Auth not propogating Security
            niwhsa

            Make sure you include the CLientLoginModule in the "mymail" authentication domain. This should help propogate the principal.

            • 3. Re: Basic Auth not propogating Security
              shin.tai

               

              "niwhsa" wrote:
              Make sure you include the CLientLoginModule in the "mymail" authentication domain. This should help propogate the principal.


              Thanks but that didn't make a difference. I added the following to my login-config.xml (even to default as well just to be on the safe side):

              <application-policy name = "mymail">
               <authentication>
               <login-module code = "org.jboss.security.ClientLoginModule"
               flag = "required">
               </login-module>
               </authentication>
               </application-policy>


              • 4. Re: Basic Auth not propogating Security
                starksm64

                If that is really the extend of your web.xml security-constraint you have no authentication/authorization required.

                • 5. Re: Basic Auth not propogating Security
                  shin.tai

                   

                  "scott.stark@jboss.org" wrote:
                  If that is really the extend of your web.xml security-constraint you have no authentication/authorization required.


                  That's right, it's more in there for completeness than anything else.

                  In my sample application having the security sonstraint makes no difference. I'm still able to pull out the principal and credential from SecurityAssociation.

                  I read the security faq and followed the advice to turn up the logging. It looks like the principal and credential aren't being set at all in SecurityAssociation in the application that I'm porting to JBoss.

                  Thanks

                  • 6. Re: Basic Auth not propogating Security
                    shin.tai

                    Didn't figure out what was going wrong, but found another way.

                    axis-config uses the HTTPAuthHandler to take the username/password from the authentication header and insert it into the its MessageContext.

                    Get the username/password back using:

                    MessageContext ctx = MessageContext.getCurrentContext();
                    
                     String username = ctx.getUsername();
                     String password = ctx.getPassword();


                    Cheers,
                    Shin