2 Replies Latest reply on Aug 22, 2005 10:11 AM by juserp

JBOSS basic auth login popped even after using only Custom L

juserp Aug 21, 2005 12:55 PM

Hello,
I have implemented a Custom loginModule that sets the Subject with Principal and roles. In config file, for the security domain used by the application I have set only this Login Module and it's set to REQUIRED. However, after returning from my Login module I do not get direct access to protected resourse, am still prompted for Login.
Am I missing something ?

Thanks ,

1. Re: JBOSS basic auth login popped even after using only Cust

juserp Aug 22, 2005 9:58 AM (in response to juserp)

Since the AuthenticatorBase was invoking the BASIC logging, I tried setting the request.userPrincipal in my valve. After doing this I now do not get the login prompt, however it fails with following exception:

2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /jmx-console/
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.BasicAuthenticator] Already authenticated 'ORCLADMIN'
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles ORCLADMIN
2005-08-22 19:14:57,688 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during the request processing
java.lang.NullPointerException
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.hasRole(JBossSecurityMgrRealm.java:286)
at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:763)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:464)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at my.sso.MyValve.invoke(MyValve.java:99)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:307)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:385)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:748)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:678)
at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:871)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

Kindly guide what am i doing wrong/missing?
Actions
2. Re: JBOSS basic auth login popped even after using only Cust

juserp Aug 22, 2005 10:11 AM (in response to juserp)

my loginmodule code is:

/*
* Test OSSO LoginModule
*/
package my.sso;

import java.security.Principal;
import java.util.Map;
import java.security.Principal;
import java.security.acl.Group;

import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;

import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.Util;
import org.jboss.security.auth.spi.AbstractServerLoginModule;

/** An implementation of AbstractServerLoginModule that imposes
* an identity == HeaderVar REMOTE_USER on
* the login process.

*/
public class OSSOLoginModule extends AbstractServerLoginModule
{
/** The login identity */
private Principal identity;

public OSSOLoginModule()
{
System.out.println("Inside OSSOLoginModule Constructor ");
}
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options)
{
super.initialize(subject, callbackHandler, sharedState, options);
System.out.println("Inside OSSOLoginModule Initialize ");
}

/* Retrieve the Header value and set it as identity.
*/
public boolean login() throws LoginException
{

System.out.println("Inside OSSOLoginModule Login ");
super.loginOk = false;
String username = getUsernameFromCallback();
if( username == null )
{
System.out.println("No username retrieved");
}

if( identity == null )
{
try
{
identity = createIdentity(username);
System.out.println("Identity created in login");
}
catch(Exception e)
{
System.out.println("Failed to create principal");
throw new LoginException("Failed to create principal: "+ e.getMessage());
}

}

if( getUseFirstPass() == true )
{ // Add the username and password to the shared state map
sharedState.put("javax.security.auth.login.name", username);

}
super.loginOk = true;
System.out.println("User '" + identity + "' authenticated, loginOk="+loginOk);
return true;
}

/* Set dummy roles.Called during commit */
protected Principal getIdentity()
{
System.out.println("Inside getIdentity, returned is" + identity);
return identity;
}

protected String getUsername()
{
String username = null;
if( getIdentity() != null )
username = getIdentity().getName();
System.out.println("User in getUsername is '" + username);
return username;
}

/** Called by login() to acquire the username
authentication. This method does no validation of either.
@return String, username
@exception LoginException thrown if CallbackHandler is not set or fails.
*/
protected String getUsernameFromCallback() throws LoginException
{
String username = null;
// Get username
if( callbackHandler == null )
{
throw new LoginException("Error: no CallbackHandler available " +
"to collect authentication information");
}
NameCallback nc = new NameCallback("User name:");
Callback[] callbacks = {nc};

try
{
callbackHandler.handle(callbacks);
username = nc.getName();
System.out.println("Username set from callback is " + username);

}
catch(java.io.IOException ioe)
{
throw new LoginException(ioe.toString());
}
catch(UnsupportedCallbackException uce)
{
throw new LoginException("CallbackHandler does not support: " + uce.getCallback());
}
return username;
}
/* Set dummy roles.Called during commit */

protected Group[] getRoleSets()
{
SimpleGroup roles = new SimpleGroup("Roles");
Group[] roleSets = {roles};
roles.addMember(new SimplePrincipal("JBossAdmin"));
roles.addMember(new SimplePrincipal("HttpInvoker"));
roles.addMember(new SimplePrincipal("Role2"));
System.out.println("Inside getRoleSets");
return roleSets;
}

}

And my Valve code is:

package my.sso;

import java.io.IOException;
import java.util.Enumeration;
import java.util.Set;

import javax.servlet.ServletException;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.Subject;
import java.security.Principal;
import org.jboss.security.SimplePrincipal;
import java.security.acl.Group;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;

import org.apache.catalina.valves.ValveBase;

public class MyValve
extends ValveBase
{

private boolean isPresent;

public void invoke(Request request, Response response)
throws IOException, ServletException
{

boolean flag;

String username1 = request.getRemoteUser();
//Using getAttribute
String remoteAttr = (String)request.getAttribute("REMOTE_USER");

System.out.println("Enter, REMOTE_USER="+ username1);
System.out.println("REMOTE_USER as attribute is"+ remoteAttr);

System.out.println("jmx-consoletest");
try {
OSSOUsernameHandler handler = new OSSOUsernameHandler(remoteAttr);
if (handler == null)
{
System.out.println("handler is null");
}
System.out.println("handler is not null");
LoginContext lc = new LoginContext("jmx-consoletest", handler);
if (lc == null)
{
System.out.println("lc is null");
}
System.out.println("lc is not null");
lc.login();
Subject subject = lc.getSubject();
if (subject == null)
{
System.out.println("subject is null");
}
System.out.println("subject is not null");
Set groups = subject.getPrincipals(Group.class);

Group roles = (Group) groups.iterator().next();
flag = roles.isMember(new SimplePrincipal("JBossAdmin"));
System.out.println("flag is" + flag);
flag = roles.isMember(new SimplePrincipal("JBossAdmin1"));
System.out.println("flag 1s" + flag);
request.setUserPrincipal(new SimplePrincipal(remoteAttr));
String name = request.getUserPrincipal().getName();
System.out.println("name is" + name);
} catch(LoginException e) {
;
}

getNext().invoke(request, response);

}

}

I have spent couple of days on this, your help is highly appreciated.
Actions

Go to original post