1 Reply Latest reply on Oct 2, 2006 5:49 AM by rtosin

    Intermittent losing of user principal in standalone Tomcat

    rtosin
    rtosin Oct 1, 2006 10:21 PM

      Hi All,


      I have web application running on JBoss 4.0.4. I use LdapLoginModule to secure the EJB tier. In the web tier, I add a filter that perform JAAS login (using client-login module) for every incoming request. Everything works fine, user's principal and credentials are propagated successfully from web tier to EJB tier.

      Problem arises when I try to move web tier to standalone Tomcat(version 5.5.17). The user's principal is lost in the middle of method calls. Here's the call sequence:

      1. do JAAS login in web tier
      2. call method1 in EJB tier - successful
      3. call method2 in EJB tier - successful
      4. call method3 in EJB tier - failed, user's principal is NULL
      5. do JAAS logout

      The strange thing is, I can invoke method3 in EJB tier successfully at least once if I try it a few times.

      Here's the stacktrace in Web tier (Tomcat):

      java.rmi.AccessException: SecurityException; nested exception is:
 javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
 at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
 at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:209)
 at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:1 36)
 at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
 at org.jboss.ejb.Container.invoke(Container.java:954)
 at sun.reflect.GeneratedMethodAccessor96.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
 at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
 at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
 at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
 at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
 at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
 at sun.reflect.GeneratedMethodAccessor101.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
 at sun.rmi.transport.Transport$1.run(Transport.java:153)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
 at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
 at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
 at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java: 213)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
 at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:211 )
 at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:158)
 at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
 ... 23 more


      Here's the stacktrace in EJB tier (JBoss): 
      2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=admin
2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] local transaction exists - registering global tx if not present for Thread[RMI TCP Connection(428)-127.0.0.1,5,RMI Runtime]
2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Transaction TransactionImpl:XidImpl[FormatId=257, GlobalId=quark/3739, BranchQual=, localId=3739] is already registered.
2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Running commit phase. One phase? false
2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Finished local commit/rollback method for GlobalTransaction:<null>:939
2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Finished commit phase
2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@a8018a{principal=admin,subject=null}
2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin isValid, principal:admin, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170]
2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170];credential.class=[C@27310413
2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End validateCache, isValid=true
2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End isValid, true
2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
 Principal: admin
 Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@34e0db{principal=admin,subject=26629440}
2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@34e0db{principal=admin,subject=26629440}
2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin isValid, principal:admin, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170]
2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170];credential.class=[C@27310413
2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End validateCache, isValid=true
2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End isValid, true
2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
 Principal: admin
 Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@15673be{principal=admin,subject=13167287}
2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation] getCallerPrincipal, principal=admin2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170]
2006-09-29 17:24:29,037 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-09-29 17:24:29,037 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@15673be{principal=admin,subject=13167287}
2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1859504{principal=null,subject=null}
2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@1859504{principal=null,subject=null}
2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@73280f{principal=null,subject=null}
2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
2006-09-29 17:24:29,046 DEBUG [org.jboss.cache.interceptors.TxInterceptor] local transaction exists - registering global tx if not present for Thread[RMI TCP Connection(428)-127.0.0.1,5,RMI Runtime]



      I've searched the forum but I couldnt find any useful information related to my problem. Are there any additional configuration/steps that I've to do if I want to implement JAAS on seperate Tomcat + JBoss? Any help will be greatly appreciated.


      regards,



      • 2803 Views
      • Tags:
        • 1. Re: Intermittent losing of user principal in standalone Tomc
          rtosin
          rtosin Oct 2, 2006 5:49 AM (in response to rtosin)

          The problem is solved after I added multi-threaded="true" in auth.conf.

          Taken from http://wiki.jboss.org/wiki/Wiki.jsp?page=ClientLoginModule


          When the multi-threaded option is set to true, each login thread has its own principal and credential storage. This is useful in client environments where multiple user identities are active in separate threads. When true, each separate thread must perform its own login. When set to false the login identity and credentials are global variables that apply to all threads in the VM. The default for this option is false.


          Does it mean that embedded Tomcat and standalone Tomcat handle the thread in different way (since I'm using the same code but got different result when I deployed them in diff environment)?

          regards,

            • Actions