1 2 Previous Next 19 Replies Latest reply on Jan 10, 2007 4:27 AM by alexmanes

Dynamic registration of a custom login module?

andrew.rw.robinson Feb 1, 2006 4:08 PM

I am pretty new to JBoss and am trying to figure out how to digest

http://www.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig

I understand the content of the XML, but not how to deploy this thing. What I have is two custom realm modules (LoginModule) that I want to use. One is for my JSF deployment (MyCompClientJSF.ear that contains a war file) and a web service deployment (MyCompWebService.ear that contains a war file).

For each project I have a login-config.xml declared that I am currently putting in my war's META-INF directory. Here is a dummy one I tried just to see if I could get it working with a JBoss LoginModule:

<?xml version="1.0" encoding="UTF-8"?>

<application-policy name="TestRealm">
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag="required">
 <module-option name="usersProperties">test-users.properties</module-option>
 <module-option name="rolesProperties">test-roles.properties</module-option>
 </login-module>
</application-policy>

The problem is that I really don't know much about mbean's at all. Neither that WIKI or others seem to mention where to put the xml file with the server/mbean declaration and if there is a naming convention or anything that is required. If someone could help me with the deployment I would greatly appreciate it.

My current deployment:

server/default/
 Test.war
 META-INF/
 login-config.xml
 jboss.xml
 WEB-INF/
 lib/
 customLoginModule.jar
 (...)
 MyCompanyClientJSF.ear/
 META-INF/
 application.xml
 MyCompanyClient.war
 META-INF/
 login-config.xml
 jboss.xml
 WEB-INF/
 lib/
 customLoginModule.jar
 (...)

My company is a software shop and not a hosting shop, so we don't control our client's JBoss servers and we want to keep deployment down to a minimum (I want to get as close as possible to dropping a couple of files in the "deploy" directory and it just works, and not have to modify and of the JBoss xml files that are provided).

Thanks,
Andrew

1. Re: Dynamic registration of a custom login module?

j2ee_junkie Feb 2, 2006 11:22 AM (in response to andrew.rw.robinson)

Andrew,

What you want to do is to deploy the DynamicLoginConfig mBean. This mbean then will look for the login-config file you have specified in service.xml file (or embed in mbean config if using JBoss >= 4.0.3.) The DynamicLoginConfig is deployed depending on where you put the -service.xml file. I have always deployed it with my ear. But then again I have my ear's isolated from rest of server, so this is my only option. This is done by putting the -service.xml file along with login-config.xml file at base of ear, and then specify the -service.xml file as a java module in application.xml. I guess I could have also deployed it in a sar in my ear. I do not know what would happen if you just put -service.xml file in deploy directory.

Are you still having trouble with this?
Actions
2. Re: Dynamic registration of a custom login module?

j2ee_junkie Feb 2, 2006 11:40 AM (in response to andrew.rw.robinson)
After further reading, I realize there is a better way...

You have two ear's you mention as your projects, correct?

In each ear, include at the base a .sar that contains
*.sar/ +--> META-INF/ +--------> jboss-service.xml +--> login-config.xml +--> customLoginModules.jar

where the jboss-service.xml contains the mbean element config'ing the DynamicLoginConfig mbean. Then deploy the sar with your ear by adding the module element to your jboss-app.xml
Actions
3. Re: Dynamic registration of a custom login module?

andrew.rw.robinson Feb 2, 2006 12:20 PM (in response to andrew.rw.robinson)

Going to give this a shot, will let you know how it goes. Thanks
Actions
4. Re: Dynamic registration of a custom login module?

j2ee_junkie Feb 2, 2006 2:52 PM (in response to andrew.rw.robinson)

Worked for me.
Actions
5. Re: Dynamic registration of a custom login module?

andrew.rw.robinson Feb 2, 2006 9:02 PM (in response to andrew.rw.robinson)

Looks like it is working, thanks for the help
Actions
6. Re: Dynamic registration of a custom login module?

andrew.rw.robinson Feb 3, 2006 11:37 AM (in response to andrew.rw.robinson)

Okay new problem. First ear works fine, but the 2nd ear generates an error:
org.jboss.deployment.DeploymentException: Trying to install an already registered mbean: jboss:service=DynamicLoginConfig

Obviously this is happening because I have the same mbean definition in both ear files. My question is what I should do about it? Is there a way to say "deploy if it doesn't already exist" in an mbean declaration? or is there a better way I can tackle the DynamicLoginConfig mbean deployment?
Actions
7. Re: Dynamic registration of a custom login module?

j2ee_junkie Feb 3, 2006 3:33 PM (in response to andrew.rw.robinson)

Most likey this is because you did not change the name of the mbean in the descriptor file. If you just copy and pasted from wiki page, the name is the same as an already deployed mbean. So just rename it to something that is important to you.

enjoy, c
Actions

8. Re: Dynamic registration of a custom login module?

nigelwhite Mar 20, 2006 9:52 AM (in response to andrew.rw.robinson)

Hi j2ee_junkie!

I'm trying to implement my own LoginModule, again without having to configure any external config files.

I have the Login module, but I can't make it use it without changing the server/conf/login-config.xml. I'm using the Embedded Login Configuration in http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig

I'm putting that into a .sar file as you describe:

GF.ear
+--> GF.sar
 +--> META-INF
 | +--> jboss-service.xml
 +--> CustomLoginModules.jar
 +-->com/fcl/security/GreenfieldsLoginModule.class
+--> ejbs.jar
+--> webapp.war

jboss-service.xml looks like

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD MBean Service 4.0//EN"
 "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
<server>
 <!-- The custom JAAS login configuration that installs
 a Configuration capable of dynamically updating the
 config settings
 -->
 <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="jboss.security.tests:service=LoginConfig">
 <attribute name="PolicyConfig" serialDataType="jbxb">
 <jaas:policy
 xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
 xmlns:jaas="urn:jboss:security-config:4.1"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

 <!-- Our Greenfields login config -->
 <jaas:application-policy name="Greenfields">
 <jaas:authentication>
 <jaas:login-module code="com.fcl.security.GreenfieldsLoginModule" flag="required">
 <jaas:module-option name="unauthenticatedIdentity">anonymous</jaas:module-option>
 <jaas:module-option name="principalClass">com.fcl.security.GreenfieldsUser</jaas:module-option>
 <jaas:module-option name="ignorePasswordCase">true</jaas:module-option>
 </jaas:login-module>

 <!-- Include the ClientLoginModule propagation -->
 <jaas:login-module code="org.jboss.security.ClientLoginModule" flag="required">
 <jaas:module-option name="password-stacking">true</jaas:module-option>
 <jaas:module-option name="multi-threaded">true</jaas:module-option>
 </jaas:login-module>

 </jaas:authentication>
 </jaas:application-policy>
 </jaas:policy>
 </attribute>
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>
</server>

But it's producing:

14:40:55,031 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
 at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587)
 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330)
 at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306)
 at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
 at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:595)

One more thing.

Even when it called my LoginModule correctly - when I had edited the server's login-config.xml, the SessionContext.getCallerPrincipal() still returned an JBoss SimplePrincipal rather than the GreenFieldsUser object that I specified (and which is correctly produced by session.getUserPrincipal())

9. Re: Dynamic registration of a custom login module?

j2ee_junkie Mar 20, 2006 10:19 AM (in response to andrew.rw.robinson)

Nigel,

What version of JBoss are you using?

Can you provide some TRACE logging of JBoss security layer aroung the time of authentication.

cgriffith
Actions
10. Re: Dynamic registration of a custom login module?

nigelwhite Mar 20, 2006 10:29 AM (in response to andrew.rw.robinson)

Version 4.0.3

How do I turn tracing on?

Update on not getting my custom Principal. I am getting a com.fcl.security.GreenfieldsUser out of the SessionContext, but I can't cast it to that (which was making me think it was just handing me a SimplePrincipal) I think it's from a different ClassLoader.

I have the GreenfieldsUser class file in the EJB jar that's inside the EAR. Surely that should then be usable?
Actions
11. Re: Dynamic registration of a custom login module?

nigelwhite Mar 20, 2006 10:29 AM (in response to andrew.rw.robinson)

Version 4.0.3

How do I turn tracing on?

Update on not getting my custom Principal. I am getting a com.fcl.security.GreenfieldsUser out of the SessionContext, but I can't cast it to that (which was making me think it was just handing me a SimplePrincipal) I think it's from a different ClassLoader.

I have the GreenfieldsUser class file in the EJB jar that's inside the EAR. Surely that should then be usable?
Actions
12. Re: Dynamic registration of a custom login module?

nigelwhite Mar 20, 2006 10:35 AM (in response to andrew.rw.robinson)

OK, I can cast the SessionContext.getCallerPrincipal() to my custom Principal class!

It's just started working!!

Hmm...

OK, now I just need this DynamicLoginConfig to work.

Any idea how I can add a DataSource without having to drop a seperate XML file into the deploy directory? I'd just like to keep everying inside the EAR.
Actions

13. Re: Dynamic registration of a custom login module?

nigelwhite Mar 20, 2006 10:50 AM (in response to andrew.rw.robinson)

It's just TOOOO weird.

I have to have an empty security domain in jboss.xml in my EJS jar:

<?xml version="1.0" encoding="UTF-8"?>
<jboss>
 <security-domain/>
</jboss>

If I put the correct security domain in (java:/jaas/Greenfields), it says:

15:45:21,781 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
 at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587)
 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330)
 at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:121)
 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:67)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
 at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:178)
 at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:74)
 at $Proxy120.getAll(Unknown Source)
 at com.fcl.gf.mgr.ListMgr.getList(Unknown Source)

But then I have to put

@SecurityDomain("Greenfields")

At the declaration of my EJB

into the EJBs that I'm using, otherwise it says:

15:48:01,968 ERROR [STDERR] javax.ejb.EJBException: java.lang.IllegalStateException: isCallerInRole() called with no security conte
t. Check that a security-domain has been set for the application.
15:48:01,968 ERROR [STDERR] at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:69)
15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:192)
15:48:01,984 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
15:48:01,984 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
15:48:01,984 ERROR [STDERR] at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:5
)

THis isn't making sanse.

14. Re: Dynamic registration of a custom login module?

j2ee_junkie Mar 20, 2006 11:02 AM (in response to andrew.rw.robinson)
Nigel,

I put my_datasource-ds.xml file at the root of my ear. Then I add
... <module> <java>my_datasource-ds.xml</java> </module> ...

to application.xml. This datasource then gets deployed/undeployed automatically with ear by service http://wiki.jboss.org/wiki/Wiki.jsp?page=XSLSubDeployer.

Also AFAIK, you can do the same thing with your login-config.xml. I use the sar method described earlier because I package login modules inside the sar.

Glad to hear you are coming along on solving your problems, cgriffith
Actions

1 2 Previous Next

Go to original post