-
1. Re: JAAS Security in JBOSS 4.0 ISSUES??
I would start with the JBoss Security chapter in the JBoss documentation (available on the JBoss site). This provides a base understanding of the JBossSX and JAAS. If that doesn't get you going, look at the DVD Store Trail Blazer available on the JBoss site ... that gives a complete example. Best of luck.
-
2. Re: JAAS Security in JBOSS 4.0 ISSUES??
Thanks a lot for that tip, I am going through the documentation and well by now I am familiar with the basics, but need to know how it works togetther as a whole, so was looking out for the example.
Can you please provide me with the link for the DVD Store Trail Blazer? I was not able to locate it. Is that like a zip file or something that I can download and implement on my machine. Really appreciate your reply. Please let me know.
Thanks a bunch -
3. Re: JAAS Security in JBOSS 4.0 ISSUES??
angelzworld,
I just wrote up a quick article on using JBoss's security architecture. Although it's not really needed, as there are a slew of articles out there (not to mention on this site in particular).
I only write these articles to help my understanding, and for note taking. You can find it here:
http://www.thepaxson5.org/Members/Aaron/JBoss/jboss-jaas-intro
This article shows how to use the flat file for users and roles, and I plan on doing the database in the very near future. Until then, you can follow the article, and instead of using the UsersRolesLoginModule, look at the "http://wiki.jboss.org/wiki/Wiki.jsp?page=DatabaseServerLoginModule" and it's options.
The only thing different you'll have to do, that my article doesn't show, would be to bind the database to use for your logins, into JNDI.
HTH,
Good Luck!
--Aaron -
4. Re: JAAS Security in JBOSS 4.0 ISSUES??
Also,
I finished up the database portion just so you can look at it.
If you are asking about a book, most of my knowledge came from the JBoss Wiki, the JBoss Admin Guide, and the book JBoss: A Developer's Notebook.
I highly recommend the Developer's Notebook, as it gives you a hand's on guide to doing common operations. It's a small and cheap book, but gives you some great knowledge!
HTH!
Aaron -
5. Re: JAAS Security in JBOSS 4.0 ISSUES??
At the highest level these are the steps required to convert a insecure j2ee app to a secure one in jboss
For web apps
1) In the web.xml list the urls that need to be secure and the http methods that need to be secure. This can be done as so.<!-- Specify the secured resources --> <security-constraint> <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <description>Declarative security tests</description> <url-pattern>/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>Secure</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Specify the login mechanism --> <login-config> <auth-method>BASIC</auth-method> <realm-name>JAAS Tutorial Servlets</realm-name> </login-config> <!-- Specify the role list --> <security-role> <description>A user allowed to invoke echo methods</description> <role-name>Secure</role-name> </security-role>
2) Now specify the security domain that will provide the authentication (login) and the authorization information (roles) in jboss-web.xml
THis comes directly under the <jboss-web> tag. Check the DTD for more details.<security-domain>java:/jaas/jwdomain</security-domain>
3) Now the last piece is to provide the jwdomain information in the server/default <or the config that you are using>/conf/login-config.xml<application-policy name = "jwdomain"> <authentication> <login-module code="MyLoginModule" flag="required" > <!-- Login module options go here --> </login-module> </authentication> </application-policy>
Now you should be good to go.
*******************************************************
For an EJB application
replace step 1) above with info in ejb-jar.xml
step 2) and step 3) remain same.
Note: Use jboss.xml to provide the security doamin info rather than jboss-web.xml.
Let us know how it goes.
Also would help if you post the exact error you are getting. -
6. Re: JAAS Security in JBOSS 4.0 ISSUES??
Well, thanks for all those tips, I am trying out that right now. I am still a bit confused regarding the configuration of JAAS for JBOSS, I am developing an ejb application, so accordingly I guess I need to configure the following files:
-- ejb-jar.xml
-- jboss.xml
-- login-config.xml
How about auth.conf files for the server side and the client side? Dont I need to configure these? If so how do I go about configuring these?? -
7. Re: JAAS Security in JBOSS 4.0 ISSUES??
oks this is what I have till now,
For Starters, I just need to verify, if a user
with the username "admin" and password "superuser" can successfully
login into the application.
This is my Database Schema in postgresql
users table which stores the user information
* id (INTEGER PRIMARY KEY)
* username (VARCHAR(64))
* password (VARCHAR(64))
userroles table which stores roles and corresponding user information
* id (INTEGER PRIMARY KEY)
* username (VARCHAR(64))
* userrole (VARCHAR(32))
My login-config.xml and postgres-ds.xml() are as follows:
*************postgres-ds.xml*************************
<local-tx-datasource>
<jndi-name>PostgresDS</jndi-name>
<connection-url>jdbc:postgresql://localhost/megs</connection-url>
<driver-class>org.postgresql.Driver</driver-class>
<user-name>postgres</user-name>
postgres
</local-tx-datasource>
***************postgres-ds.xml***************************
******************login-config.xml************************
<application-policy name = "DefAuth">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/PostgresDS</module-option>
<module-option name = "principalsQuery">SELECT passwd FROM users WHERE PrincipleID=?</module-option>
<module-option name = "rolesQuery">SELECT userrole, 'Roles' FROM userroles WHERE PrincipleID=?</module-option>
</login-module>
</application-policy>
******************login-config.xml************************
I hope I am going correct so far..
I am using the Eclipse IDE along with xdoclet, which generates the
deployment descriptor files(ejb-jar.xml and jboss.xml) automatically.
Securtity domain is configured for jboss.xml as
******************jboss.xml*********************************
<security-domain> java:/jaas/megs </security-domain>
******************jboss.xml*********************************
I want to know if apart from all this , are they are any other files that need configuration??
Also can You provide me with a snippet of code that would demonstrate
how the authentication is handled via JAAS(LoginContext and CallBackHandlers..??)
I can then proceed on extending the security architecture if
I can get this going..
Please let me know about this as soon as possible.
Thanks a bunch for all the help. -
8. Re: JAAS Security in JBOSS 4.0 ISSUES??
Your principals query and the role query use wrong column name? Your table has Username column isnt it?
Also your application policy name in login-config is defauth but you are using megs in jboss.xml?? -
9. Re: JAAS Security in JBOSS 4.0 ISSUES??
Yeah , I did notice that :) and rectify that , changed the query as well as the application policy name. Now here is the problem I am facing.
In jboss.xml , the security-domain is sepcified as :
<security-domain> java:/jaas/megs </security-domain>
I guess this makes jboss look for login modules when you attempt to login to a site. I get the following exception :
****************************************************
java.rmi.AccessException: SecurityException; nested exception is:
java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=Region, method=create, interface=HOME, requiredRoles=[ManageUsers], principalRoles=[]
My auto-generated ejb-jar.xml file looks like this
************************************************************
<ejb-jar>
..................
.............................
[CDATA[This is the Region session bean.]]
<display-name>Region Session Bean</display-name>
<ejb-name>Region</ejb-name>
{my home interface}
{my remote interface}
<ejb-class>{my ejb-class}</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>ManageUsers</role-name>
<role-link>ManageUsers</role-link>
</security-role-ref>
...................................................
......................................
.............................................
<!-- Assembly Descriptor -->
<assembly-descriptor>
<security-role>
<role-name>ManageUsers</role-name>
</security-role>
<security-role>
<role-name>ScadaUser</role-name>
</security-role>
<method-permission>
<role-name>ManageUsers</role-name>
<ejb-name>Region</ejb-name>
<method-name>create</method-name>
</method-permission>
</assembly-descriptor>
.................................................................
...............................................................................
</ejb-jar>
*********************************************************
I am not sure what exactly is wrong, I tried changing the value of the method-name tag to "*" instead of create, even that doesnt work though.
throws the same exception.
Can you please tell me what am I doing wrong :( . Also , I noticed , it doesnt matter if I have auth.conf at all configured. Is this because of an upgrade in the version , because tutorials on several previous versions tell us to configure both client side and server side auth .conf files. Please guide me with respect to that as well.
Waiting for your replies. Thank YOu, ur help is really appreciated :) -
10. Re: JAAS Security in JBOSS 4.0 ISSUES??
Well I am still stuck with the exception reported earlier. I was hoping I could get some replies for that :(.
My application needs authorized access to create and add users for the application. Say, only users with the role 'ManageUsers' can create and add users and users with role 'NormalUsers' can only browse through the site.
The application makes use of ejbs, servlets and the front-end is in velocity.
Heres my security configuration in ejb-jar.xml and web.xml. I am not very sure how is it worked out. How do roles in web.xml map to those in ejb-jar.xml???
*************************web.xml**************************
<web-app>
<display-name>Enterprise Management Console</display-name>
<filter-name>sitemesh</filter-name>
<filter-class>
com.opensymphony.module.sitemesh.filter.PageFilter
</filter-class>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet-name>webwork</servlet-name>
<servlet-class>com.opensymphony.webwork.dispatcher.ServletDispatcher</servlet-class>
<load-on-startup>1</load-on-startup>
<servlet-name>velocity</servlet-name>
<servlet-class>com.opensymphony.webwork.views.velocity.WebWorkVelocityServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<servlet-name>sitemesh-velocity</servlet-name>
<servlet-class>com.opensymphony.module.sitemesh.velocity.VelocityDecoratorServlet</servlet-class>
<servlet-name>SecureServlet</servlet-name>
<servlet-class>
com.megs.management.servlets.AdminAction
</servlet-class>
<run-as>
Only admin can acces this
<role-name>admin</role-name>
</run-as>
<servlet-mapping>
<servlet-name>SecureServlet</servlet-name>
<url-pattern>/restricted/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>webwork</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>velocity</servlet-name>
<url-pattern>*.vm</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>sitemesh-velocity</servlet-name>
<url-pattern>*.vm</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureServlet</web-resource-name>
Authorized access
<url-pattern>/restricted/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ManageUsers</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ManageUsers</role-name>
</security-role>
</web-app>
**********************************************************
********************ejb-jar.xml****************************
<ejb-jar >
[CDATA[No Description.]]
<display-name>Generated by XDoclet</display-name>
<enterprise-beans>
<!-- Session Beans -->
[CDATA[This is the Region session bean.]]
<display-name>Region Session Bean</display-name>
<ejb-name>Region</ejb-name>
{my home interface}
{my remote interface}
<ejb-class> {my ejb-class} </ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>ManageUsers</role-name>
<role-link>ManageUsers</role-link>
</security-role-ref>
...................................................
......................................
.............................................
<!-- Assembly Descriptor -->
<assembly-descriptor>
<security-role>
<role-name>ManageUsers</role-name>
</security-role>
<security-role>
<role-name>NormalUsers</role-name>
</security-role>
<method-permission>
<role-name>ManageUsers</role-name>
<ejb-name>Region</ejb-name>
<method-name>create</method-name>
</method-permission>
<method-permission>
<role-name>NormalUsers</role-name>
<ejb-name>Region</ejb-name>
<method-name>create</method-name>
</method-permission>
</assembly-descriptor>
................................................................
...............................................................................
</ejb-jar>
********************************************************
********************************************************
PLEASE HELP ME OUT HERE :((
************************************************************* -
11. Re: JAAS Security in JBOSS 4.0 ISSUES??
Well I am still stuck with the exception reported earlier. I was hoping I could get some replies for that :(.
My application needs authorized access to create and add users for the application. Say, only users with the role 'ManageUsers' can create and add users and users with role 'NormalUsers' can only browse through the site.
The application makes use of ejbs, servlets and the front-end is in velocity.
Heres my security configuration in ejb-jar.xml and web.xml. I am not very sure how is it worked out. How do roles in web.xml map to those in ejb-jar.xml???
*************************web.xml**************************
<web-app>
<display-name>Enterprise Management Console</display-name>
<filter-name>sitemesh</filter-name>
<filter-class>
com.opensymphony.module.sitemesh.filter.PageFilter
</filter-class>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet-name>webwork</servlet-name>
<servlet-class>com.opensymphony.webwork.dispatcher.ServletDispatcher</servlet-class>
<load-on-startup>1</load-on-startup>
<servlet-name>velocity</servlet-name>
<servlet-class>com.opensymphony.webwork.views.velocity.WebWorkVelocityServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<servlet-name>sitemesh-velocity</servlet-name>
<servlet-class>com.opensymphony.module.sitemesh.velocity.VelocityDecoratorServlet</servlet-class>
<servlet-name>SecureServlet</servlet-name>
<servlet-class>
com.megs.management.servlets.AdminAction
</servlet-class>
<run-as>
Only admin can acces this
<role-name>admin</role-name>
</run-as>
<servlet-mapping>
<servlet-name>SecureServlet</servlet-name>
<url-pattern>/restricted/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>webwork</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>velocity</servlet-name>
<url-pattern>*.vm</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>sitemesh-velocity</servlet-name>
<url-pattern>*.vm</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureServlet</web-resource-name>
Authorized access
<url-pattern>/restricted/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ManageUsers</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ManageUsers</role-name>
</security-role>
</web-app>
**********************************************************
********************ejb-jar.xml****************************
<ejb-jar >
[CDATA[No Description.]]
<display-name>Generated by XDoclet</display-name>
<enterprise-beans>
<!-- Session Beans -->
[CDATA[This is the Region session bean.]]
<display-name>Region Session Bean</display-name>
<ejb-name>Region</ejb-name>
{my home interface}
{my remote interface}
<ejb-class> {my ejb-class} </ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>ManageUsers</role-name>
<role-link>ManageUsers</role-link>
</security-role-ref>
...................................................
......................................
.............................................
<!-- Assembly Descriptor -->
<assembly-descriptor>
<security-role>
<role-name>ManageUsers</role-name>
</security-role>
<security-role>
<role-name>NormalUsers</role-name>
</security-role>
<method-permission>
<role-name>ManageUsers</role-name>
<ejb-name>Region</ejb-name>
<method-name>create</method-name>
</method-permission>
<method-permission>
<role-name>NormalUsers</role-name>
<ejb-name>Region</ejb-name>
<method-name>create</method-name>
</method-permission>
</assembly-descriptor>
................................................................
...............................................................................
</ejb-jar>
********************************************************
********************************************************
PLEASE HELP ME OUT HERE :((
************************************************************* -
12. Re: JAAS Security in JBOSS 4.0 ISSUES??
2 days and still no reply to my topic.......... :(
I am using the jboss 4.0.2 version..
well, i have done a lot of research on the exception "insufficinet permissions....principal=[null]..." and from what i found on the forums and the WIKI, my login.xml needs to be like that :
****************login-config.xml***************************
<application-policy name = "megs">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/PostgresDS</module-option>
<module-option name = "principalsQuery">SELECT passwd FROM users WHERE username=?</module-option>
<module-option name = "rolesQuery">SELECT userrole, 'Roles' FROM userroles WHERE username=?</module-option>
</login-module>
<login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
</login-module>
</application-policy>
*******************************************************
However no use , it still fails , giving me the "Insufficient permissions...principal=[null] exception..."
I also tried using the
<module-option name="password-stacking">useFirstPass</module-option> in the login-config.xml file for Databaseserverloginmodule and/pr Clientloginmodule, no effect though...when used for the client login module only..it gives a
*******No matching username found.....exception*******************
I am sure the authentication info is not getting propogated , because the login is performed successfully and all my println statements are printed. There is a redirect code fragment in my code on successful login
*********************************************
HttpServletResponse response = ServletActionContext.getResponse(); response.sendRedirect("/megs/overview.action?view=overview");
******************************************************
The call executes and the required class calls a function on ejb by the name region. This is where I get the exception. Is it because I am doing a redirect the authentication information is lost??/ or is it because I am missing something, somewhere in the configuration files, as a result of which I am unable to proceed???????
Please do let me know.... -
13. Re: JAAS Security in JBOSS 4.0 ISSUES??
What is the client that is trying to authenticate?
It looks as if you have a web application, rather than using the ClientLoginModule you should be using the servlet authentication that you need to define in the web.xml
How many calls does your web application make to the ejb tier in a single request, there is a known issue with JBoss 4.0.2 that can cause this to fail if you make more than one call. (There is a patch available from this but if will be better if I can see what you are doing to see if this is appropriate for you). -
14. Re: JAAS Security in JBOSS 4.0 ISSUES??
Sorry, just looked back at your earlier posts I missed the web.xml
Is there a login-config in the web.xml or has it been missed off by the forum?
What mechanism do you use to get the user to enter their credentials?