-
1. Re: XMLLoginConfig not picking up my application-policy
j2ee_junkie Jun 26, 2006 10:35 AM (in response to david.l.small)David,
One thing I noticed is you forgot the authentication element (or maybe you just did not post it.) See the login-config.xml file for xml elements.
cgriffith -
2. Re: XMLLoginConfig not picking up my application-policy
anil.saldhana Jun 26, 2006 10:38 AM (in response to david.l.small)Enable trace logging as highlighted in the FAQ at the beginning of this forum. You will see if there are any parsing issues with your login config file.
-
3. Re: XMLLoginConfig not picking up my application-policy
david.l.small Jun 26, 2006 11:22 AM (in response to david.l.small)j2ee_junkie, I must have done something wrong when creating the post, because the terminating element is in there.
anil, below is the relevant trace information. It looks like it loads OK.2006-06-26 11:05:15,553 DEBUG [org.jboss.security.auth.login.XMLLoginConfigImpl] Try loading config as XML, url=file:/usr/local/jboss-4.0.4.GA/server/default/conf/login-config.xml
2006-06-26 11:05:15,680 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newRoot, created PolicyConfig for policy element
2006-06-26 11:05:15,684 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.PolicyConfig, localName: application-policy
2006-06-26 11:05:15,684 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.PolicyConfig, AuthenticationInfo: PinkRealm
2006-06-26 11:05:15,685 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AuthenticationInfo, localName: authentication
2006-06-26 11:05:15,685 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AuthenticationInfo, localName: login-module
2006-06-26 11:05:15,699 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AuthenticationInfo, login-module code: org.jboss.security.auth.spi.DatabaseServerLoginModule
2006-06-26 11:05:15,699 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, localName: module-option
2006-06-26 11:05:15,700 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, module-option name: dsJndiName
2006-06-26 11:05:15,700 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] setValue.ModuleOption, name: module-option
2006-06-26 11:05:15,700 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] addChild.AppConfigurationEntryHolder, name: dsJndiName
2006-06-26 11:05:15,700 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, localName: module-option
2006-06-26 11:05:15,700 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, module-option name: principalsQuery
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] setValue.ModuleOption, name: module-option
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] addChild.AppConfigurationEntryHolder, name: principalsQuery
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, localName: module-option
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, module-option name: rolesQuery
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] setValue.ModuleOption, name: module-option
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] addChild.AppConfigurationEntryHolder, name: rolesQuery
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, localName: module-option
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, module-option name: hashAlgorithm
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] setValue.ModuleOption, name: module-option
2006-06-26 11:05:15,701 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] addChild.AppConfigurationEntryHolder, name: hashAlgorithm
2006-06-26 11:05:15,702 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, localName: module-option
2006-06-26 11:05:15,703 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] newChild.AppConfigurationEntryHolder, module-option name: hashEncoding
2006-06-26 11:05:15,703 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] setValue.ModuleOption, name: module-option
2006-06-26 11:05:15,703 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] addChild.AppConfigurationEntryHolder, name: hashEncoding
2006-06-26 11:05:15,703 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] addChild.AuthenticationInfo, name: org.jboss.security.auth.spi.DatabaseServerLoginModule
2006-06-26 11:05:15,703 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] addChild.PolicyConfig, name: PinkRealm
According to the trace above it seems to load, but still do not see it from the JNDIView ...+- XAConnectionFactory (class: org.jboss.mq.SpyXAConnectionFactory)
+- DefaultDS (class: org.jboss.resource.adapter.jdbc.WrapperDataSource)
+- SecurityProxyFactory (class: org.jboss.security.SubjectSecurityProxyFactory)
+- DefaultJMSProvider (class: org.jboss.jms.jndi.JNDIProviderAdapter)
+- comp (class: javax.naming.Context)
+- JmsXA (class: org.jboss.resource.adapter.jms.JmsConnectionFactoryImpl)
+- ConnectionFactory (class: org.jboss.mq.SpyConnectionFactory)
+- jdbc (class: org.jnp.interfaces.NamingContext)
| +- PinkForums (class: org.jboss.resource.adapter.jdbc.WrapperDataSource)
| +- PinkEdgar (class: org.jboss.resource.adapter.jdbc.WrapperDataSource)
| +- PinkCommon (class: org.jboss.resource.adapter.jdbc.WrapperDataSource)
| +- PinkNews (class: org.jboss.resource.adapter.jdbc.WrapperDataSource)
| +- PinkLegacy (class: org.jboss.resource.adapter.jdbc.WrapperDataSource)
+- jaas (class: javax.naming.Context)
| +- HsqlDbRealm (class: org.jboss.security.plugins.SecurityDomainContext)
| +- jmx-console (class: org.jboss.security.plugins.SecurityDomainContext)
| +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
| +- java:jaas (class: org.jboss.security.plugins.SecurityDomainContext)
| +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
+- timedCacheFactory (class: javax.naming.Context)
Failed to lookup: timedCacheFactory, errmsg=org.jboss.util.TimedCachePolicy
+- TransactionPropagationContextExporter (class: org.jboss.tm.TransactionPropagationContextFactory)
+- StdJMSPool (class: org.jboss.jms.asf.StdServerSessionPoolFactory)
+- Mail (class: javax.mail.Session)
+- comp.ejb3 (class: javax.naming.Context)
| NonContext: null
+- TransactionPropagationContextImporter (class: org.jboss.tm.TransactionPropagationContextImporter)
+- TransactionManager (class: org.jboss.tm.TxManager)
Any ideas? What else can I do?
Thanks -
4. Re: XMLLoginConfig not picking up my application-policy
tefron Jun 26, 2006 11:45 AM (in response to david.l.small)disable html and post your loginConfig.xml
-
5. Re: XMLLoginConfig not picking up my application-policy
david.l.small Jun 26, 2006 11:51 AM (in response to david.l.small)Here you go ...
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.
The outline of the application-policy is:
<application-policy name="security-domain-name">
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>
<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</application-policy>
$Revision: 1.12.2.1 $
-->
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name = "client-login">
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</application-policy>
<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
</login-module>
</application-policy>
<!-- Security domain for JBossMQ when using file-state-service.xml
<application-policy name = "jbossmq">
<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>
</application-policy>
-->
<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</application-policy>
<application-policy name = "FirebirdDBRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sysdba</module-option>
<module-option name = "userName">sysdba</module-option>
<module-option name = "password">masterkey</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>
</application-policy>
<application-policy name = "JmsXARealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>
</application-policy>
<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "jmx-console">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">jmx-console-users.properties</module-option>
<module-option name="rolesProperties">jmx-console-roles.properties</module-option>
</login-module>
</application-policy>
<!-- A template configuration for the web-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "web-console">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">web-console-users.properties</module-option>
<module-option name="rolesProperties">web-console-roles.properties</module-option>
</login-module>
</application-policy>
<!-- A template configuration for the JBossWS web application (and transport layer!).
This defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name="JBossWS">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="unauthenticatedIdentity">anonymous</module-option>
</login-module>
</application-policy>
<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
<!-- Realm for App Management. -->
<application-policy name = "AppManagementRealm">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/jdbc/AppManagement</module-option>
<module-option name = "principalsQuery">SELECT password FROM users WHERE email_address = ?</module-option>
<module-option name = "rolesQuery"><![CDATA[SELECT ur.role_id, 'Roles' FROM xref_user_role ur
INNER JOIN users u WHERE ur.user_id = u.id AND u.email_address = ?]]></module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">hex</module-option>
</login-module>
</application-policy>
<!-- Realm for Pink Applications. -->
<application-policy name = "PinkRealm">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/jdbc/PinkCommon</module-option>
<module-option name = "principalsQuery"><![CDATA[
SELECT password FROM userinfo
WHERE email = ? AND is_active = 1]]></module-option>
<module-option name = "rolesQuery"><![CDATA[SELECT DISTINCT ur.role_id, 'Roles' FROM user_role_company ur
INNER JOIN userinfo u ON ur.user_id = u.id
WHERE u.email = ? AND u.is_active = 1 AND ur.is_active = 1 AND
((ur.start_date IS NULL) OR (ur.start_date <= CURRENT_TIMESTAMP)) AND
((ur.end_date IS NULL) OR (ur.end_date > CURRENT_TIMESTAMP))]]></module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">hex</module-option>
</login-module>
</application-policy> -
6. Re: XMLLoginConfig not picking up my application-policy
tefron Jun 26, 2006 12:57 PM (in response to david.l.small)looking good.
can you please post your jboss_app.xml or jboos_web.xml that reference the security-domain? -
7. Re: XMLLoginConfig not picking up my application-policy
david.l.small Jun 26, 2006 1:11 PM (in response to david.l.small)tefron, I've entries in jboss.xml and jboss-web.xml.
Here's jboss.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
<security-domain>java:/jaas/PinkRealm</security-domain>
And here's jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 2.4//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
<jboss-web>
<security-domain>java:/jaas/PinkRealm</security-domain>
</jboss-web> -
8. Re: XMLLoginConfig not picking up my application-policy
tefron Jun 26, 2006 1:52 PM (in response to david.l.small)try and add the security-domain to your jboss-app.xml.
-
9. Re: XMLLoginConfig not picking up my application-policy
david.l.small Jun 26, 2006 2:12 PM (in response to david.l.small)That did not help. That said, I don't think the problem is with the "security-domain" elements. I believe that for some unexplainable reason my JAAS PinkRealm is not being created. I base that on the fact that when I invoke the JNDIView tree, it doesn't show with the JAAS services.
I've reinstalled a few times, but to no avail. This makes no sense as I copied many of the configuration parameters directly from my 4.0.3SP1 installation.
Any thoughts? -
10. Re: XMLLoginConfig not picking up my application-policy
j2ee_junkie Jun 26, 2006 2:25 PM (in response to david.l.small)David,
Set trace logging for the security layer. Then restart the server, and look for output from the config service when it is starting. Post any details.
later, cgriffith -
11. Re: XMLLoginConfig not picking up my application-policy
j2ee_junkie Jun 26, 2006 2:32 PM (in response to david.l.small)whoops. I see Anil already suggested that now. sorry. Will get back with you.
-
12. Re: XMLLoginConfig not picking up my application-policy
j2ee_junkie Jun 26, 2006 11:32 PM (in response to david.l.small)David,
I see that only some of the application-policies are being deployed. Did you post a different login-config.xml than the one used when posting JNDI view? If not then look at the trace log again during XMLLoginConfigIml service startup. This time post all application-policy configurations during startup.
Also, you can look to see how a application-policy is configured by looking at the "jboss.security:service=XMLLoginConfig" mbean in jmx-console.
cgriffith -
13. Re: XMLLoginConfig not picking up my application-policy
david.l.small Jun 27, 2006 5:49 AM (in response to david.l.small)cgriffith, I'm pretty much following the same configuration procedures that I have for all previous versions of jBoss. I simply put my application-policy's XML snippet into the login-config file. Usually after, the JAAS JNDI entry shows up in the JNDIView and is accessible by my security-domain entries in deployment descriptors.
As you can see from my posts, my entry is in the login-config, the XMLLoginConfig trace does pick it up, but it never gets into the JNDI tree. Also, I just ran the displayAppConfig method of jboss.security:service=XMLLoginConfig on my realm - PinkRealm. Here's the output ...PinkRealm LoginConfiguration
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
* name=hashEncoding, value=hex
* name=rolesQuery, value=SELECT DISTINCT ur.role_id, 'Roles' FROM user_role_company ur INNER JOIN userinfo u ON ur.user_id = u.id WHERE u.email = ? AND u.is_active = 1 AND ur.is_active = 1 AND ((ur.start_date IS NULL) OR (ur.start_date <= CURRENT_TIMESTAMP)) AND ((ur.end_date IS NULL) OR (ur.end_date > CURRENT_TIMESTAMP))
* name=principalsQuery, value=SELECT password FROM userinfo WHERE email = ? AND is_active = 1
* name=hashAlgorithm, value=MD5
* name=dsJndiName, value=java:/jdbc/PinkCommon
As you see from below it is not in the tree ...+- jaas (class: javax.naming.Context)
| +- HsqlDbRealm (class: org.jboss.security.plugins.SecurityDomainContext)
| +- jmx-console (class: org.jboss.security.plugins.SecurityDomainContext)
| +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
| +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
+- timedCacheFactory (class: javax.naming.Context)
Is there something else that must be done 4.0.4.GA? If so, I've not seen the additional instructions in the release notes. Does 4.0.4 require that I include default module-option's in my XML configuration?
Thanks for your continued assistance. -
14. Re: XMLLoginConfig not picking up my application-policy
david.l.small Jun 27, 2006 10:05 AM (in response to david.l.small)OK, aside from a reinstall, I'm not sure what I did differently, but I now get this error. It happens on first access of the application. This means that deployment is happening correctly, but that for some reason it is either using the default realm or ignoring the DatabaseServiceLoginModule.
10:01:02,240 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:121)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:225)
at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:55)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:102)