0 Replies Latest reply on Sep 27, 2005 7:59 PM by bemowski

    JBoss/Tomcat BASIC authentication with JAAS fails to respect

    bemowski
    bemowski Sep 27, 2005 7:59 PM

      All -

      I've been fighting and googling galore, and it seems that this problem may have been posted before, but never solved.

      I'm running standard JBoss 4.0.1 (though I've duplicated the problem on 4.0.2 and 4.0.3sp2). I've enabled BASIC authentication on the jmx-console (and I've also tried on another small sample webapp) as explained in the comments of the various configuration files. Here are the relevant sections:

      From jboss/conf/login-config.xml:

      <application-policy name = "jmx-console">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="usersProperties">jmx-console-users.properties</module-option>
 <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>


      From deploy/jmx-console.war/WEB-INF/jboss-web.xml: 
      <jboss-web>
 <!-- Uncomment the security-domain to enable security. You will
 need to edit the htmladaptor login configuration to setup the
 login modules used to authentication users.-->
 <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>


      And finally from deploy/jmx-console.war/WEB-INF/jboss-web.xml: 
      <!-- A security constraint that restricts access to the HTML JMX console
 to users with the role JBossAdmin. Edit the roles to what you want and
 uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
 secured access to the HTML JMX console. -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>HtmlAdaptor</web-resource-name>
 <description>An example security config that only allows users with the
 role JBossAdmin to access the HTML JMX console web application
 </description>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>JBossAdmin</role-name>
 </auth-constraint>
 </security-constraint>
 <!-- -->

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JBoss JMX Console</realm-name>
 </login-config>

 <security-role>
 <role-name>JBossAdmin</role-name>
 </security-role>

      ===================

      I've also enabled trace logging on the relevant packages: 
      <category name="org.jboss.security">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 <appender-ref ref="BEMO"/>
 </category>

 <category name="org.apache.catalina">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 <appender-ref ref="BEMO"/>
 </category>

 <category name="org.apache.coyote">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 <appender-ref ref="BEMO"/>
 </category>

      Ok. Now, I try to access the console, and I am prompted for username/password via the standard HTTP BASIC authentiation system.

      When I enter an invalid password, it fails, and prompts again for the username and password.

      Here is the problem. The authentication system ALLOWS the login, then denies access to the JMX console because in theory the user does not have the appropriate role: 
      2005-09-27 19:57:38,429 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2005-09-27 19:57:38,429 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'admin' authenticated, loginOk=true
2005-09-27 19:57:38,430 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
2005-09-27 19:57:38,430 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] updateCache, subject=Subject:
 Principal: admin
 Principal: Roles(members:JBossAdmin,HttpInvoker)

2005-09-27 19:57:38,431 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5d3ac0[Subject(12333359).principals=[admin, Roles(members:JBossAdmin,HttpInvoker)],credential.class=[C@1440568,expirationTime=1127867258422]
2005-09-27 19:57:38,431 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] End isValid, true
2005-09-27 19:57:38,432 TRACE [org.jboss.security.SecurityAssociation] setPrincipal, p=admin, server=true
2005-09-27 19:57:38,485 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5d3ac0[Subject(12333359).principals=[admin, Roles(members:JBossAdmin,HttpInvoker)],credential.class=[C@1440568,expirationTime=1127867258422]
2005-09-27 19:57:38,485 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'admin' with type 'BASIC'
2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[admin()]
2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.realm.RealmBase] Username admin does NOT have role JBossAdmin
2005-09-27 19:57:38,487 DEBUG [org.apache.catalina.realm.RealmBase] No role found: JBossAdmin
2005-09-27 19:57:38,487 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test


      Can anyone help me?

      Paul Bemowski

      • 1450 Views
      • Tags: