org.apache.catalina.authenticator.AuthenicatorBase Failed au
michael.c.small Sep 30, 2005 8:45 AMUsing JAAS container authentication and authorization, I'm getting very strange results. If I request a protected resource (as defined by security-constraints in my web.xml), I am correctly taken to my login page. After entering valid credentials, I pass a FormAuthenticator authentication but appear to fail in the AuthenticatorBase authentication. Below is the logging from my server.log (I've bolded the section that I believe is causing the problem). Any idea my this authenticate fails (especially since FormAuthenticator succeeds)? Note that I'm using a custom LoginModule. I don't believe, however, that is the problem because it works well accessing my EJBs directly.
2005-09-30 07:25:14,776 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] defaultLogin, lc=javax.security.auth.login.LoginContext@1132f26, subject=Subject(8169456).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))) 2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] updateCache, inputSubject=Subject(8169456).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))), cacheSubject=Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))) 2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@971e9d[Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))),credential.class=java.lang.String@31664352,expirationTime=1128083092930] 2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] End isValid, true 2005-09-30 07:25:14,777 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: woper_testuser01 is authenticated 2005-09-30 07:25:14,778 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: Principal: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162] Principal: CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]) Principal: Roles(members:TascForce(members)) , principal=woper_testuser01 2005-09-30 07:25:14,779 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@971e9d[Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))),credential.class=java.lang.String@31664352,expirationTime=1128083092930] 2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: woper_testuser01to: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162] 2005-09-30 07:25:14,779 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] getUserRoles, subject: Subject: Principal: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162] Principal: CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]) Principal: Roles(members:TascForce(members)) 2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[4310000-0000162(TascForce,)] 2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'woper_testuser01' was successful 2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/tasconline/app/main.faces' 2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/tasconline/app/j_security_check 2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: 206E313AE6C29507AFAF738D53B62DA2 2005-09-30 07:25:14,780 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null 2005-09-30 07:25:14,780 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: woper_testuser01 2005-09-30 07:25:14,785 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 206E313AE6C29507AFAF738D53B62DA2 2005-09-30 07:25:14,786 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Enter, j_username=null 2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /tasconline/app/main.faces 2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[General Secured Resources]' against GET /app/main.faces --> true 2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[TascForce Secured Resources]' against GET /app/main.faces --> false 2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Provider Secured Resources]' against GET /app/main.faces --> false 2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Client Secured Resources]' against GET /app/main.faces --> false 2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Participant Secured Resources]' against GET /app/main.faces --> false 2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() 2005-09-30 07:25:14,786 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission /app/main.faces GET) 2005-09-30 07:25:14,787 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] Denied: (javax.security.jacc.WebUserDataPermission /app/main.faces GET) 2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions 2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '206E313AE6C29507AFAF738D53B62DA2' 2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated '4310000-0000162' with type 'FORM' 2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request 2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() 2005-09-30 07:25:14,787 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] No active subject found, using 2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] Denied: (javax.security.jacc.WebResourcePermission /app/main.faces GET) 2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] hasResourcePermission, perm=(javax.security.jacc.WebResourcePermission /app/main.faces GET), allowed=false 2005-09-30 07:25:14,788 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test 2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: 206E313AE6C29507AFAF738D53B62DA2 2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null 2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: null 2005-09-30 07:25:15,045 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1128083115045 sessioncount 0 2005-09-30 07:25:15,045 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
My web.xml:
<?xml version="1.0"?> <!-- * Copyright 2004 The Apache Software Foundation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * UPDATED: Marty Hall changed to use .faces suffix, * faces-config.xml filename, servlets 2.4,. and extensions filter. * See JSF tutorial at http://www.coreservlets.com/. --> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <context-param> <param-name>javax.faces.CONFIG_FILES</param-name> <param-value> /WEB-INF/faces-config.xml </param-value> <description> Comma separated list of URIs of (additional) faces config files. (e.g. /WEB-INF/my-config.xml) See JSF 1.0 PRD2, 10.3.2 </description> </context-param> <context-param> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>client</param-value> <description> State saving method: "client" or "server" (= default) See JSF Specification 2.5.2 </description> </context-param> <context-param> <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name> <param-value>true</param-value> <description> This parameter tells MyFaces if javascript code should be allowed in the rendered HTML output. If javascript is allowed, command_link anchors will have javascript code that submits the corresponding form. If javascript is not allowed, the state saving info and nested parameters will be added as url parameters. Default: "true" </description> </context-param> <context-param> <param-name>org.apache.myfaces.PRETTY_HTML</param-name> <param-value>true</param-value> <description> If true, rendered HTML code will be formatted, so that it is "human readable". i.e. additional line separators and whitespace will be written, that do not influence the HTML code. Default: "true" </description> </context-param> <context-param> <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name> <param-value>false</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.AUTO_SCROLL</param-name> <param-value>true</param-value> <description> If true, a javascript function will be rendered that is able to restore the former vertical scroll on every request. Convenient feature if you have pages with long lists and you do not want the browser page to always jump to the top if you trigger a link or button action that stays on the same page. Default: "false" </description> </context-param> <!-- Listener, that does all the startup work (configuration, init). --> <listener> <listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class> </listener> <!-- Faces Servlet Marty Hall: changed .jsf back to standard of .faces --> <servlet> <servlet-name>Faces Servlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.faces</url-pattern> </servlet-mapping> <!-- Extensions Filter Marty Hall: pasted this in from myfaces-examples; it is needed for custom components that use JavaScript. Note that url-pattern of filter-mapping must match the url-pattern of servlet-mapping above. So, if you change from .faces to .jsf, change BOTH url-pattern entries. --> <filter> <filter-name>extensionsFilter</filter-name> <filter-class>org.apache.myfaces.component.html.util.ExtensionsFilter</filter-class> <init-param> <param-name>uploadMaxFileSize</param-name> <param-value>100m</param-value> <description>Set the size limit for uploaded files. Format: 10 - 10 bytes 10k - 10 KB 10m - 10 MB 1g - 1 GB </description> </init-param> <init-param> <param-name>uploadThresholdSize</param-name> <param-value>100k</param-value> <description>Set the threshold size - files below this limit are stored in memory, files above this limit are stored on disk. Format: 10 - 10 bytes 10k - 10 KB 10m - 10 MB 1g - 1 GB </description> </init-param> </filter> <filter-mapping> <filter-name>extensionsFilter</filter-name> <url-pattern>*.faces</url-pattern> </filter-mapping> <filter-mapping> <filter-name>extensionsFilter</filter-name> <url-pattern>/faces/*</url-pattern> </filter-mapping> <!-- Security Constraint for resources used by all the different possible roles --> <security-constraint> <web-resource-collection> <web-resource-name>General Secured Resources</web-resource-name> <url-pattern>/app/main.faces</url-pattern> <url-pattern>/app/main.jsp</url-pattern> <url-pattern>/app/common/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>TascForce</role-name> <role-name>Provider</role-name> <role-name>Client</role-name> <role-name>Participant</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Security Constraint for TascForce resources --> <security-constraint> <web-resource-collection> <web-resource-name>TascForce Secured Resources</web-resource-name> <url-pattern>/app/tascforce/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>TascForce</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Security Constraint for Provider resources --> <security-constraint> <web-resource-collection> <web-resource-name>Provider Secured Resources</web-resource-name> <url-pattern>/app/provider/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>TascForce</role-name> <role-name>Provider</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Security Constraint for Client resources --> <security-constraint> <web-resource-collection> <web-resource-name>Client Secured Resources</web-resource-name> <url-pattern>/app/client/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>TascForce</role-name> <role-name>Provider</role-name> <role-name>Client</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Security Constraint for Participant resources --> <security-constraint> <web-resource-collection> <web-resource-name>Participant Secured Resources</web-resource-name> <url-pattern>/app/participant/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>TascForce</role-name> <role-name>Provider</role-name> <role-name>Client</role-name> <role-name>Participant</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <!-- Login Configuration - lists the type of authentication method and the pages used for login --> <login-config> <auth-method>FORM</auth-method> <realm-name>TASCSystem - JAAS</realm-name> <form-login-config> <form-login-page>/security/login.faces</form-login-page> <form-error-page>/security/login-redirect.faces</form-error-page> </form-login-config> </login-config> <!-- Security roles --> <!-- TascForce --> <security-role> <description>TASC Employee</description> <role-name>TascForce</role-name> </security-role> <!-- Provider --> <security-role> <description>TASC Provider</description> <role-name>Provider</role-name> </security-role> <!-- Client --> <security-role> <description>TASC Client</description> <role-name>Client</role-name> </security-role> <!-- Participant --> <security-role> <description>TASC Participant</description> <role-name>Participant</role-name> </security-role> <!-- error page definitions --> <!-- system errors --> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/errors/system-error.faces</location> </error-page> <!-- Welcome files --> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
My jboss-web.xml:
<jboss-web> <security-domain>java:/jaas/tasconline</security-domain> </jboss-web>
My context.xml:
<Context cookies="true" crossContext="true"> <Valve className="org.jboss.web.tomcat.security.FormAuthValve" includePassword="false"/> </Context>