10 Replies Latest reply on Dec 19, 2005 4:41 AM by ego2002

    Issue with JBOSS JAAS login

    nikhilkumar

      I have been trying to use DatabaseServerLogin. I am appending the login-config.xml, the login.jsp, the web.xml and the extract from the server log. (I turned on security debugging). I have a table called Principals with fields PrincipalID and Password in my database, and a table called Roles with fields called PrincipalID, Role, RoleGroup.

      To deal with the login link problem, I have a link that connects to a signin.jsp page that is protected. When you try to link to it, the login.jsp page is invoked.

      When I try to give the wrong password/ userID it correctly routes me to login-error.html

      When I try to login correctly, it gives me a 403 error "HTTP Status 403 - Access to the requested resource has been denied". I checked the server log and it seems that I was authenticated but not authorized. What has to be done to "authorize" me? I could not find any documentation that explicitly tells me to authorize, when logging in.

      <!!!! Server log excerpt >
      file:/C:/aptsi_home/jboss/jboss-3.2.3/server/default/deploy/tsm.ear
      2005-12-06 16:11:23,687 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] run: IdleRemover notifying pools, interval: 450000
      2005-12-06 16:12:17,421 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,484 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,515 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,515 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,531 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,562 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,578 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,578 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,609 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:17,625 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:19,125 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] jsp, runAs: null
      2005-12-06 16:12:19,140 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] jsp, runAs: null
      2005-12-06 16:12:20,953 INFO [STDOUT] in < JDBCConnectionManager's connect: 1 >
      2005-12-06 16:12:20,953 INFO [STDOUT] in < JDBCConnectionManager's reg Driver >
      2005-12-06 16:12:20,968 INFO [STDOUT] Successful registration
      2005-12-06 16:12:20,968 INFO [STDOUT] in < JDBCConnectionManager's connect: 2 >
      2005-12-06 16:12:21,125 INFO [STDOUT] in < JDBCConnectionManager's connect: 3 >
      2005-12-06 16:12:21,125 INFO [STDOUT] in < JDBCConnectionManager's connect: 1 >
      2005-12-06 16:12:21,125 INFO [STDOUT] in < JDBCConnectionManager's reg Driver >
      2005-12-06 16:12:21,125 INFO [STDOUT] Successful registration
      2005-12-06 16:12:21,125 INFO [STDOUT] in < JDBCConnectionManager's connect: 2 >
      2005-12-06 16:12:21,140 INFO [STDOUT] in < JDBCConnectionManager's connect: 3 >
      2005-12-06 16:12:21,140 INFO [STDOUT] sucess in init trying to createStatement
      2005-12-06 16:12:21,140 INFO [org.jboss.web.localhost.Engine] jsp: Hello World
      2005-12-06 16:12:21,140 INFO [STDOUT] Help!
      2005-12-06 16:12:21,140 INFO [STDOUT] The User Name is null
      2005-12-06 16:12:21,187 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:28,578 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] default, runAs: null
      2005-12-06 16:12:28,578 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=root
      2005-12-06 16:12:28,578 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] logout
      2005-12-06 16:12:28,578 TRACE


      Web.xml:
      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

      <web-app>

      <!--
      - Deployment descriptor for an authenticated
      - section of the web site.
      -->
      <display-name>ial</display-name>
      "test"
      <welcome-file-list>
      <welcome-file>home.htm</welcome-file>
      </welcome-file-list>
      <resource-ref>
      <res-ref-name>jdbc/mySQL</res-ref-name>
      <res-type>javax.sql.DataSource</res-type>
      <res-auth>Container</res-auth>
      </resource-ref>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      Declarative security
      <url-pattern>/signin.jsp</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>user</role-name>
      </auth-constraint>
      <user-data-constraint>
      No descrp
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>ial</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login_error.htm</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      <role-name>ial</role-name>
      </security-role>
      <security-role>
      <role-name>user</role-name>
      </security-role>
      </web-app>




      <!!!! login-config.xml excerpt>


      <application-policy name="other">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="unauthenticatedIdentity">guest</module-option>
      <module-option name="dsJndiName">java:/mySQL</module-option>
      <module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
      <module-option name="rolesQuery">select Role,RoleGroup from Roles where PrincipalID=?</module-option>
      </login-module>

      </application-policy>

      <!-- Security domains for testing new jca framework -->
      <application-policy name = "MySqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name ="principal">aptsi_dev</module-option>
      <module-option name ="userName">root</module-option>
      <module-option name ="password">aptsi</module-option>
      <module-option name ="managedConnectionFactoryName">
      jboss.jca:service=LocalTxCM,name=mySQL
      </module-option>
      </login-module>

      </application-policy>



      <!!!! Login.jsp Excerpt>

      <form id="data-entryForm" method="POST"
      action='<%= response.encodeURL( "j_security_check" ) %>'>


      User Login

      User Name


      Password    



      Login



      Reset

      <!----- my-sql.ds excerpt -->

      <local-tx-datasource>
      <jndi-name>mySQL</jndi-name>
      <connection-url>jdbc:mysql://localhost:3306/idmgmt</connection-url>
      <driver-class>com.mysql.jdbc.Driver</driver-class>
      <user-name>root</user-name>
      aptsi
      </local-tx-datasource>







        • 1. Re: Issue with JBOSS JAAS login
          nikhilkumar

          Figured it out. Sorry, it was a silly mistake. Did not correctly configure security-roles tag in web.xml. Thus it was authenticating but not authorizing.

          Regards,
          Nikhil

          • 2. Re: Issue with JBOSS JAAS login
            ego2002

            Hi!

            I've got the same problem you had... I get a 403 error when I succeed in authentification... So I can't have access to JBoss Administration Portlet... Which web.xml file you were talking about?

            Thanks for your help...

            Il Dima

            • 3. Re: Issue with JBOSS JAAS login
              nikhilkumar

              Il Dima,

              In the web.xml there is a tag for security-roles. This needs to be the same as the user's role returned in the authentication query, as the user needs to be authorised to access the resource, as well as authenticated


              In web.xml:
              <security-role>
              <role-name>user</role-name>
              </security-role>

              In login-config:
              <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
              <module-option name="unauthenticatedIdentity">guest</module-option>
              <module-option name="dsJndiName">java:/mySQL</module-option>
              <module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
              <module-option name="rolesQuery">select Role,RoleGroup from Roles where PrincipalID=?</module-option>
              </login-module>

              Hope this helps..

              • 4. Re: Issue with JBOSS JAAS login
                ego2002

                This is ok...

                I think the problem is that JBoss doesn't recognise my role... (is there a way to print out it?)
                The query is like your one and the user is logged in, so the db connection works fine...

                In login-config, which <application-policy> did you change? There are "portal" "webdav" and "other", is it right? I changed all of them...

                I can't find a way to get out of here... :(

                Thanks a lot...

                Il Dima

                • 5. Re: Issue with JBOSS JAAS login
                  nikhilkumar

                  ego2002,

                  There are 2 aspects:

                  1. You need to authenticate (which means that you will login) if the results
                  from the Passwsord, where Role maps to the role in the authorization clause.
                  2. You need to authorize access to the role by setting the <security-role> element in the web.xml in WEB-INF.
                  3. The aplication-policy is "other"
                  4. Use the DEBUG flags in log4j.xml in the JBOSS dir to log the security info. for debugging. This is how you do it:


                  <!--
                  | An example of enabling the custom TRACE level priority that is used
                  | by the JBoss internals to diagnose low level details. This example
                  | turns on TRACE level msgs for the org.jboss.ejb.plugins package and its
                  | subpackages. This will produce A LOT of logging output.
                  -->

















                  Cheers!

                  • 6. Re: Issue with JBOSS JAAS login
                    nikhilkumar

                    For some reason it I can't seem to submit the XML for the log4J properties (shows blank). So,
                    I will try to put it without the "<" and replace with "BeginElem" for this message:

                    "BeginElem" category name="org.jboss.web.tomcat.security" "EndElem"

                    "BeginElem" priority value="TRACE" class="org.jboss.logging.XLevel"EndElem"

                    "BeginElem" category"EndElem"

                    Repeat for:
                    "category name="org.apache.catalina", "org.jboss.security",

                    Note that this is also documented in the Wiki somewhere.

                    Cheers!

                    • 7. Re: Issue with JBOSS JAAS login
                      ego2002

                      Before of all,
                      thanks for the help about debugging... this could be a nice step forward...

                      I insert here the part of the debugging who sounds strange for me... I'd thank you so mutch if you can tell me if you think this is normal or if you see something strange too...

                      "a" is my username and "Admin" is the role I want to have and I stored in the db...

                      ...
                      [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
                      [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                      2005-12-15 15:31:32,375 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                      2005-12-15 15:31:32,375 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
                      [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /portal/auth/j_security_check
                      [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'a'
                      [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=a
                      ...
                      [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@64978b
                      ...
                      [org.jboss.security.plugins.JaasSecurityManagerService] Added portal, org.jboss.security.plugins.SecurityDomainContext@2c3549 to map
                      [org.jboss.security.plugins.JaasSecurityManager.portal] Begin isValid, cache info: null
                      [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(portal), size=11
                      [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(portal), authInfo=AppConfigurationEntry[]:
                      [0]
                      LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
                      ControlFlag: LoginModuleControlFlag: required
                      Options:name=rolesQuery, value=select role, roleGroup from roles where principalID=?
                      name=principalsQuery, value=select pswd from principals where principalID=?
                      name=unauthenticatedIdentity, value=guest
                      name=dsJndiName, value=java:/PortalDS
                      ...
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] Saw unauthenticatedIdentity=guest
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/PortalDS
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=select pswd from principals where principalID=?
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=select role, roleGroup from roles where principalID=?
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
                      ...
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'a' authenticated, loginOk=true
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
                      [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role Admin
                      [org.jboss.security.plugins.JaasSecurityManager.portal] updateCache, subject=Subject:
                      Principal: a
                      Principal: Admin(members:Admin)

                      [org.jboss.security.plugins.JaasSecurityManager.portal] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@dc135d[Subject(8087063).principals=[a, Admin(members:Admin)],credential.class=java.lang.String@7318012,expirationTime=1134658896875]
                      [org.jboss.security.plugins.JaasSecurityManager.portal] End isValid, true
                      [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: a is authenticated
                      2005-12-15 15:31:37,015 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
                      Principal: a
                      Principal: Admin(members:Admin)
                      , principal=a
                      [org.jboss.security.plugins.JaasSecurityManager.portal] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@dc135d[Subject(8087063).principals=[a, Admin(members:Admin)],credential.class=java.lang.String@7318012,expirationTime=1134658896875]
                      [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: ato: a
                      [org.jboss.security.plugins.JaasSecurityManager.portal] getUserRoles, subject: Subject:
                      Principal: a
                      Principal: Admin(members:Admin)

                      [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[a()]
                      [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'a' was successful
                      [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/portal/auth/index.html?ctrl:id=window.default.CMSPortletWindow&ctrl:type=action&org.jboss.portal%23PATH=%2F'
                      [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/portal/auth/j_security_check
                      2005-12-15 15:31:37,047 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is D38E98990950B5EA8294D0A7CA054BD6
                      [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /portal/auth/index.html
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Admin]' against GET /auth/index.html --> true
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/index.html --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Admin]' against GET /auth/index.html --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Admin]' against GET /auth/index.html --> true
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/index.html --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Admin]' against GET /auth/index.html --> false
                      [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
                      [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
                      [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
                      [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'D38E98990950B5EA8294D0A7CA054BD6'
                      [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'a' with type 'FORM'
                      [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
                      [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
                      [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[a()]
                      [org.apache.catalina.realm.RealmBase] Username a does NOT have role Admin
                      [org.apache.catalina.realm.RealmBase] No role found: Admin
                      [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
                      [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is D38E98990950B5EA8294D0A7CA054BD6
                      [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                      [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                      [org.jboss.security.SecurityAssociation] clear, server=true
                      [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is D38E98990950B5EA8294D0A7CA054BD6
                      [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /portal
                      [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[a()]
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Admin]' against GET / --> false
                      [org.apache.catalina.realm.RealmBase] No applicable constraint located
                      [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint
                      [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                      [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
                      [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
                      Principal: a
                      Principal: Admin(members:Admin)
                      , principal=a
                      [org.apache.catalina.core.StandardWrapper] Returning non-STM instance
                      [org.jboss.portal.server.impl.invocation.InvocationImpl] Incoming request with id null
                      ...
                      [org.hibernate.impl.SessionFactoryObjectFactory] JNDI lookup: portal/SessionFactory
                      [org.hibernate.impl.SessionFactoryObjectFactory] lookup: uid=402857d2082ece3f01082ece49900000
                      [org.hibernate.jdbc.JDBCContext] successfully registered Synchronization
                      [org.hibernate.impl.SessionImpl] opened session at timestamp: 4647555481534464
                      [org.hibernate.impl.SessionImpl] find: from UserImpl as u where u.userName=?
                      [org.hibernate.engine.QueryParameters] parameters: [a]
                      [org.hibernate.engine.QueryParameters] named parameters: {}



                      So... "a" is authenticated and its role is "Admin" as he says in the beginning, but then a test on "test" fails and he doesn't recognise "a" as member of "Admin"....

                      Thanks very mutch...

                      Have a nice day!

                      Il Dima

                      • 8. Re: Issue with JBOSS JAAS login
                        nikhilkumar

                        ego2002,

                        Have you put a security-role tag in web.xml with user whatever role (Admin?) you have for a?

                        Then, in web.xml
                        in the <security-constraint> element you need to put in the
                        <auth-constraint>
                        <role-name>user</role-name>
                        </auth-constraint>

                        Cheers!

                        • 9. Re: Issue with JBOSS JAAS login
                          nikhilkumar

                          Sorry,
                          instead of "user" subsititute "Admin".

                          Regards,
                          Nikhil

                          ego2002,

                          Have you put a security-role tag in web.xml with user whatever role (Admin?) you have for a?

                          Then, in web.xml
                          in the <security-constraint> element you need to put in the
                          <auth-constraint>
                          <role-name>user</role-name>
                          </auth-constraint>

                          Cheers!

                          • 10. Re: Issue with JBOSS JAAS login
                            ego2002

                            Perfect!!

                            Thanks a lot, dear!

                            The debug helped me so mutch!! My query for roles was wrong... I had to select 'Roles' as second field... Now it's ok... You helped me solve this problem... I'll remind you in my graduation thesis... ;)

                            Il Dima