-
1. Re: Dynamic registration of a custom login module?
j2ee_junkie Feb 2, 2006 11:22 AM (in response to andrew.rw.robinson)Andrew,
What you want to do is to deploy the DynamicLoginConfig mBean. This mbean then will look for the login-config file you have specified in service.xml file (or embed in mbean config if using JBoss >= 4.0.3.) The DynamicLoginConfig is deployed depending on where you put the -service.xml file. I have always deployed it with my ear. But then again I have my ear's isolated from rest of server, so this is my only option. This is done by putting the -service.xml file along with login-config.xml file at base of ear, and then specify the -service.xml file as a java module in application.xml. I guess I could have also deployed it in a sar in my ear. I do not know what would happen if you just put -service.xml file in deploy directory.
Are you still having trouble with this? -
2. Re: Dynamic registration of a custom login module?
j2ee_junkie Feb 2, 2006 11:40 AM (in response to andrew.rw.robinson)After further reading, I realize there is a better way...
You have two ear's you mention as your projects, correct?
In each ear, include at the base a .sar that contains*.sar/ +--> META-INF/ +--------> jboss-service.xml +--> login-config.xml +--> customLoginModules.jar
where the jboss-service.xml contains the mbean element config'ing the DynamicLoginConfig mbean. Then deploy the sar with your ear by adding the module element to your jboss-app.xml -
3. Re: Dynamic registration of a custom login module?
andrew.rw.robinson Feb 2, 2006 12:20 PM (in response to andrew.rw.robinson)Going to give this a shot, will let you know how it goes. Thanks
-
4. Re: Dynamic registration of a custom login module?
j2ee_junkie Feb 2, 2006 2:52 PM (in response to andrew.rw.robinson)Worked for me.
-
5. Re: Dynamic registration of a custom login module?
andrew.rw.robinson Feb 2, 2006 9:02 PM (in response to andrew.rw.robinson)Looks like it is working, thanks for the help
-
6. Re: Dynamic registration of a custom login module?
andrew.rw.robinson Feb 3, 2006 11:37 AM (in response to andrew.rw.robinson)Okay new problem. First ear works fine, but the 2nd ear generates an error:
org.jboss.deployment.DeploymentException: Trying to install an already registered mbean: jboss:service=DynamicLoginConfig
Obviously this is happening because I have the same mbean definition in both ear files. My question is what I should do about it? Is there a way to say "deploy if it doesn't already exist" in an mbean declaration? or is there a better way I can tackle the DynamicLoginConfig mbean deployment? -
7. Re: Dynamic registration of a custom login module?
j2ee_junkie Feb 3, 2006 3:33 PM (in response to andrew.rw.robinson)Most likey this is because you did not change the name of the mbean in the descriptor file. If you just copy and pasted from wiki page, the name is the same as an already deployed mbean. So just rename it to something that is important to you.
enjoy, c -
8. Re: Dynamic registration of a custom login module?
nigelwhite Mar 20, 2006 9:52 AM (in response to andrew.rw.robinson)Hi j2ee_junkie!
I'm trying to implement my own LoginModule, again without having to configure any external config files.
I have the Login module, but I can't make it use it without changing the server/conf/login-config.xml. I'm using the Embedded Login Configuration in http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig
I'm putting that into a .sar file as you describe:GF.ear +--> GF.sar +--> META-INF | +--> jboss-service.xml +--> CustomLoginModules.jar +-->com/fcl/security/GreenfieldsLoginModule.class +--> ejbs.jar +--> webapp.war
jboss-service.xml looks like<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD MBean Service 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd"> <server> <!-- The custom JAAS login configuration that installs a Configuration capable of dynamically updating the config settings --> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss.security.tests:service=LoginConfig"> <attribute name="PolicyConfig" serialDataType="jbxb"> <jaas:policy xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd" xmlns:jaas="urn:jboss:security-config:4.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- Our Greenfields login config --> <jaas:application-policy name="Greenfields"> <jaas:authentication> <jaas:login-module code="com.fcl.security.GreenfieldsLoginModule" flag="required"> <jaas:module-option name="unauthenticatedIdentity">anonymous</jaas:module-option> <jaas:module-option name="principalClass">com.fcl.security.GreenfieldsUser</jaas:module-option> <jaas:module-option name="ignorePasswordCase">true</jaas:module-option> </jaas:login-module> <!-- Include the ClientLoginModule propagation --> <jaas:login-module code="org.jboss.security.ClientLoginModule" flag="required"> <jaas:module-option name="password-stacking">true</jaas:module-option> <jaas:module-option name="multi-threaded">true</jaas:module-option> </jaas:login-module> </jaas:authentication> </jaas:application-policy> </jaas:policy> </attribute> <depends optional-attribute-name="LoginConfigService"> jboss.security:service=XMLLoginConfig </depends> <depends optional-attribute-name="SecurityManagerService"> jboss.security:service=JaasSecurityManager </depends> </mbean> </server>
But it's producing:14:40:55,031 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) at java.lang.Thread.run(Thread.java:595)
One more thing.
Even when it called my LoginModule correctly - when I had edited the server's login-config.xml, the SessionContext.getCallerPrincipal() still returned an JBoss SimplePrincipal rather than the GreenFieldsUser object that I specified (and which is correctly produced by session.getUserPrincipal()) -
9. Re: Dynamic registration of a custom login module?
j2ee_junkie Mar 20, 2006 10:19 AM (in response to andrew.rw.robinson)Nigel,
What version of JBoss are you using?
Can you provide some TRACE logging of JBoss security layer aroung the time of authentication.
cgriffith -
10. Re: Dynamic registration of a custom login module?
nigelwhite Mar 20, 2006 10:29 AM (in response to andrew.rw.robinson)Version 4.0.3
How do I turn tracing on?
Update on not getting my custom Principal. I am getting a com.fcl.security.GreenfieldsUser out of the SessionContext, but I can't cast it to that (which was making me think it was just handing me a SimplePrincipal) I think it's from a different ClassLoader.
I have the GreenfieldsUser class file in the EJB jar that's inside the EAR. Surely that should then be usable? -
11. Re: Dynamic registration of a custom login module?
nigelwhite Mar 20, 2006 10:29 AM (in response to andrew.rw.robinson)Version 4.0.3
How do I turn tracing on?
Update on not getting my custom Principal. I am getting a com.fcl.security.GreenfieldsUser out of the SessionContext, but I can't cast it to that (which was making me think it was just handing me a SimplePrincipal) I think it's from a different ClassLoader.
I have the GreenfieldsUser class file in the EJB jar that's inside the EAR. Surely that should then be usable? -
12. Re: Dynamic registration of a custom login module?
nigelwhite Mar 20, 2006 10:35 AM (in response to andrew.rw.robinson)OK, I can cast the SessionContext.getCallerPrincipal() to my custom Principal class!
It's just started working!!
Hmm...
OK, now I just need this DynamicLoginConfig to work.
Any idea how I can add a DataSource without having to drop a seperate XML file into the deploy directory? I'd just like to keep everying inside the EAR. -
13. Re: Dynamic registration of a custom login module?
nigelwhite Mar 20, 2006 10:50 AM (in response to andrew.rw.robinson)It's just TOOOO weird.
I have to have an empty security domain in jboss.xml in my EJS jar:<?xml version="1.0" encoding="UTF-8"?> <jboss> <security-domain/> </jboss>
If I put the correct security domain in (java:/jaas/Greenfields), it says:15:45:21,781 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330) at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:121) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:178) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:74) at $Proxy120.getAll(Unknown Source) at com.fcl.gf.mgr.ListMgr.getList(Unknown Source)
But then I have to put@SecurityDomain("Greenfields")
At the declaration of my EJB
into the EJBs that I'm using, otherwise it says:15:48:01,968 ERROR [STDERR] javax.ejb.EJBException: java.lang.IllegalStateException: isCallerInRole() called with no security conte t. Check that a security-domain has been set for the application. 15:48:01,968 ERROR [STDERR] at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:69) 15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83) 15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:192) 15:48:01,984 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) 15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) 15:48:01,984 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) 15:48:01,984 ERROR [STDERR] at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:5 )
THis isn't making sanse. -
14. Re: Dynamic registration of a custom login module?
j2ee_junkie Mar 20, 2006 11:02 AM (in response to andrew.rw.robinson)Nigel,
I put my_datasource-ds.xml file at the root of my ear. Then I add... <module> <java>my_datasource-ds.xml</java> </module> ...
to application.xml. This datasource then gets deployed/undeployed automatically with ear by service http://wiki.jboss.org/wiki/Wiki.jsp?page=XSLSubDeployer.
Also AFAIK, you can do the same thing with your login-config.xml. I use the sar method described earlier because I package login modules inside the sar.
Glad to hear you are coming along on solving your problems, cgriffith