-
1. Re: NEED HELP : Declarative authorization doesn't work
j2ee_junkie Jun 26, 2006 8:28 AM (in response to smajima)Susumu,
It would be helpful to see what is happening at authentication time in trace logging for jboss security layer. As well, you can verify what roles the principals have by viewing the authentication cache using jmx-console. Please let us know.
thanks, cgriffith -
2. Re: NEED HELP : Declarative authorization doesn't work
smajima Jun 27, 2006 1:09 AM (in response to smajima)Sorry I'm new to JBOSS & EJB.
I'm not sure the log cutouted from server.log is appropriate part.
the server.log is
TestDB is a database I use to store security data,users,roles.2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManager.TestDB] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@14d8c01 2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@22a6bb 2006-06-27 09:25:11,918 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@f0756d{ url=null ,addedOrder=0} 2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManager.TestDB] CachePolicy set to: org.jboss.util.TimedCachePolicy@ad4bb0 2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@ad4bb0 2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added TestDB, org.jboss.security.plugins.SecurityDomainContext@144426c to map 2006-06-27 09:25:11,934 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@187b796{ url=null ,addedOrder=0} 2006-06-27 09:25:11,949 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: registering pool with interval 900000 old interval: 9223372036854775807 2006-06-27 09:25:11,949 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: about to notify thread: old next: 1151368361949, new next: 1151368361949 2006-06-27 09:25:12,199 DEBUG [org.jboss.web.tomcat.tc5.jasper.TagLibCache] Scanning for tlds in: file:/C:/jboss-4.0.4.GA/server/default/deploy/jbossweb-tomcat55.sar/jsf-libs/myfaces-impl.jar 2006-06-27 09:25:12,668 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@2efae4{ url=null ,addedOrder=0} 2006-06-27 09:25:12,714 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@19dc72f{ url=null ,addedOrder=0} 2006-06-27 09:25:12,886 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b3251d{ url=null ,addedOrder=0} 2006-06-27 09:25:13,167 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@12b71eb{ url=null ,addedOrder=0} 2006-06-27 09:25:13,167 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1441dc0{ url=null ,addedOrder=0} 2006-06-27 09:25:13,183 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b6c74{ url=null ,addedOrder=0} 2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@109eab7{ url=null ,addedOrder=0} 2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@10cf62{ url=null ,addedOrder=0} 2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@19f332b{ url=null ,addedOrder=0} 2006-06-27 09:25:21,100 INFO [STDOUT] method:plus 2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@d86cae{ url=null ,addedOrder=0} 2006-06-27 09:25:21,100 INFO [STDOUT] name:user1 2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@16915d4{ url=null ,addedOrder=0} 2006-06-27 09:25:21,132 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b2979e{ url=null ,addedOrder=0}
I don't understand what I should enter as parameter in java.util.List getAuthenticationCachePrincipals()
.
Cloud you let me know what I should enter for checking authentication cache by jmx-console ?
Thanks in advance -
3. Re: NEED HELP : Declarative authorization doesn't work
j2ee_junkie Jun 27, 2006 8:23 AM (in response to smajima)Susumu,
The String parameter of java.util.List getAuthenticationCachePrincipals() is the name of the security domain. This function will show you what principals are currently logged in that domain.
Your post below is useless. What is needed is trace logging of the authentication at the time a user requests a secured resource for the first time. Also, it would be useful to check your application-policy config.
cgriffith -
4. Re: NEED HELP : Declarative authorization doesn't work
smajima Jun 29, 2006 12:14 AM (in response to smajima)I'm terribly sorry but I don't know how to get authetication trace logging.
Where(in which file) can I find application-policy config?
Could you let me know it?
I use jmx-console and the currently logged principal in the domain is user1.
Susumu -
5. Re: NEED HELP : Declarative authorization doesn't work
muhviehstarr Jun 29, 2006 3:37 AM (in response to smajima)Hello. I think you forgot the @SecurityDomain at the class.
-
6. Re: NEED HELP : Declarative authorization doesn't work
jaikiran Jun 29, 2006 4:01 AM (in response to smajima)I'm terribly sorry but I don't know how to get authetication trace logging
Have a look at Q4: How to debug security layer at:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQWhere(in which file) can I find application-policy config?
You can find this is login-config.xml file present in %JBOSS_HOME%/server/default/conf directory. -
7. Re: NEED HELP : Declarative authorization doesn't work
smajima Jun 29, 2006 6:00 AM (in response to smajima)The log is below. In this case I select multi as user1.
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:53:58,408 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:53:58,408 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:53:58,408 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2006-06-29 18:54:22,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574862876 sessioncount 1
2006-06-29 18:54:22,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:55:22,875 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574922875 sessioncount 1
2006-06-29 18:55:22,875 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 42C1AA6EFF40E2ACA51C4C43298226D5
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /SecurityCheckEJB/calc.jsp
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc.jsp --> true
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc.jsp --> true
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-06-29 18:55:28,063 DEBUG [org.jboss.web.tomcat.security.FormAuthenticator] Already authenticated 'user1'
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 does NOT have role admin
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: admin
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 has role user
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=??????:
??: user1
??: Roles(members:user)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@1e07d3e{principal=user1,subject=17274660}
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 42C1AA6EFF40E2ACA51C4C43298226D5
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /SecurityCheckEJB/calc
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc --> true
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc --> true
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-06-29 18:55:33,594 DEBUG [org.jboss.web.tomcat.security.FormAuthenticator] Already authenticated 'user1'
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 does NOT have role admin
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: admin
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 has role user
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=??????:
??: user1
??: Roles(members:user)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@13e9963{principal=user1,subject=17274660}
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=user1
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@c85a33{principal=user1,subject=null}
2006-06-29 18:55:33,594 INFO [STDOUT] method:plus
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] getCallerPrincipal, principal=user1
2006-06-29 18:55:33,594 INFO [STDOUT] name:user1
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@c85a33{principal=user1,subject=null}
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] servletPath=/answer.jsp, pathInfo=null, queryString=null, name=null
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Path Based Forward
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
My application-policy is<!-- add by Majima for test --> <application-policy name="TestDB"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" > <module-option name="dsJndiName">java:/MySecurityDS</module-option> <module-option name="principalsQuery">select passwd from users where username=?</module-option> <module-option name="rolesQuery">select userroles, 'Roles' from userroles where username=?</module-option> </login-module> </authentication> </application-policy>
-
8. Re: NEED HELP : Declarative authorization doesn't work
jaikiran Jun 29, 2006 6:37 AM (in response to smajima)In this case I select multi as user1.
This is going to work, isnt it? Since you have specified that the method multi can be invoked by users in role "user" (and user1 belongs to "user" role).
Your first post mentioned thatThe method multi is allowed only "user" role. but manager is able to execute multi
Try out this case(i.e. try the multi operation with manager) and post the TRACE logs. -
9. Re: NEED HELP : Declarative authorization doesn't work
smajima Jun 29, 2006 9:48 AM (in response to smajima)I'm sorry I gave you a wrong information.
I selected plus as user. The logging above is in this case.
If it works correct,user1 can't excute plus.
Susumu -
10. Re: NEED HELP : Declarative authorization doesn't work
jaikiran Jun 29, 2006 9:53 AM (in response to smajima)Can you please post your ejb-jar.xml
-
11. Re: NEED HELP : Declarative authorization doesn't work
jaikiran Jun 29, 2006 9:55 AM (in response to smajima)Can you please post your ejb-jar.xml. The logs show that the user1 was authenticated correctly and he has been identified in the correct role.
-
12. Re: NEED HELP : Declarative authorization doesn't work
smajima Jun 29, 2006 8:06 PM (in response to smajima)I don't have ejb-jar.xml. Because I don't thinlk specify anything in ejb-jar.xml.
Am I understanding wrong?
If something is needed in ejb-jar.xml,could you show me the example?