JBoss/Tomcat BASIC authentication with JAAS fails to respect
bemowski Sep 27, 2005 7:59 PMAll -
I've been fighting and googling galore, and it seems that this problem may have been posted before, but never solved.
I'm running standard JBoss 4.0.1 (though I've duplicated the problem on 4.0.2 and 4.0.3sp2). I've enabled BASIC authentication on the jmx-console (and I've also tried on another small sample webapp) as explained in the comments of the various configuration files. Here are the relevant sections:
From jboss/conf/login-config.xml:
<application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">jmx-console-users.properties</module-option> <module-option name="rolesProperties">jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy>
From deploy/jmx-console.war/WEB-INF/jboss-web.xml:
<jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users.--> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web>
And finally from deploy/jmx-console.war/WEB-INF/jboss-web.xml:
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <!-- --> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> <security-role> <role-name>JBossAdmin</role-name> </security-role>
===================
I've also enabled trace logging on the relevant packages:
<category name="org.jboss.security"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> <appender-ref ref="BEMO"/> </category> <category name="org.apache.catalina"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> <appender-ref ref="BEMO"/> </category> <category name="org.apache.coyote"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> <appender-ref ref="BEMO"/> </category>
Ok. Now, I try to access the console, and I am prompted for username/password via the standard HTTP BASIC authentiation system.
When I enter an invalid password, it fails, and prompts again for the username and password.
Here is the problem. The authentication system ALLOWS the login, then denies access to the JMX console because in theory the user does not have the appropriate role:
2005-09-27 19:57:38,429 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login 2005-09-27 19:57:38,429 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'admin' authenticated, loginOk=true 2005-09-27 19:57:38,430 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true 2005-09-27 19:57:38,430 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] updateCache, subject=Subject: Principal: admin Principal: Roles(members:JBossAdmin,HttpInvoker) 2005-09-27 19:57:38,431 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5d3ac0[Subject(12333359).principals=[admin, Roles(members:JBossAdmin,HttpInvoker)],credential.class=[C@1440568,expirationTime=1127867258422] 2005-09-27 19:57:38,431 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] End isValid, true 2005-09-27 19:57:38,432 TRACE [org.jboss.security.SecurityAssociation] setPrincipal, p=admin, server=true 2005-09-27 19:57:38,485 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5d3ac0[Subject(12333359).principals=[admin, Roles(members:JBossAdmin,HttpInvoker)],credential.class=[C@1440568,expirationTime=1127867258422] 2005-09-27 19:57:38,485 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'admin' with type 'BASIC' 2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() 2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[admin()] 2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.realm.RealmBase] Username admin does NOT have role JBossAdmin 2005-09-27 19:57:38,487 DEBUG [org.apache.catalina.realm.RealmBase] No role found: JBossAdmin 2005-09-27 19:57:38,487 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
Can anyone help me?
Paul Bemowski