10 Replies Latest reply on Nov 6, 2006 9:16 AM by jaikiran

    Error 403 when using DatabaseServerLoginModule

      Hi all,
      I am trying to configure JAAS in jboss 4.0.4.GA for a sample seam application. Here's my configs:


      JBoss 4.0.4.GA
      Seam 1.0.1.GA
      Hibernate 3.2.0 CR1
      MySQL 4.1.9



      My Principals and Roles Tables are as follows:

      
      --
      -- Table structure for table `principals`
      --
      
      CREATE TABLE `principals` (
       `PrincipalId` varchar(255) NOT NULL default '',
       `Password` varchar(255) NOT NULL default '',
       PRIMARY KEY (`PrincipalId`)
      ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
      
      --
      -- Dumping data for table `principals`
      --
      
      INSERT INTO `principals` VALUES ('Admin', 'admin');
      INSERT INTO `principals` VALUES ('user', 'user');
      INSERT INTO `principals` VALUES ('Yogesh', 'yogesh');
      
      --
      -- Table structure for table `roles`
      --
      
      CREATE TABLE `roles` (
       `PrincipalId` varchar(255) NOT NULL default '',
       `Role` varchar(255) NOT NULL default '',
       `RoleGroup` varchar(255) NOT NULL default '',
       PRIMARY KEY (`PrincipalId`)
      ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
      
      --
      -- Dumping data for table `roles`
      --
      
      INSERT INTO `roles` VALUES ('Admin', 'Admin', 'Admin');
      INSERT INTO `roles` VALUES ('user', 'User', 'User');
      INSERT INTO `roles` VALUES ('Yogesh', 'Admin', 'Admin');
      
      
      
      




      Here's wats in my jboss-app.xml:

      
      <jboss-app>
       <module>
       <service>jboss-service.xml</service>
       </module>
      
       <loader-repository>seam.jboss.org:loader=seam-seamapp</loader-repository>
      </jboss-app>
      
      
      



      and my jboss-service.xml:

      
      <?xml version="1.0" encoding="UTF-8"?>
      <server>
       <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
       name="JAASExample:service=DynamicLoginConfig">
       <attribute name="AuthConfig">login-config.xml</attribute>
       <depends optional-attribute-name="LoginConfigService">
       jboss.security:service=XMLLoginConfig
       </depends>
       <depends optional-attribute-name="SecurityManagerService">
       jboss.security:service=JaasSecurityManager
       </depends>
       </mbean>
      </server>
      
      


      my login-config.xml:

      
      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
      
      <policy>
       <application-policy name = "jaastest">
       <authentication>
       <login-module
       code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "dsJndiName">java:/jaastestDatasource</module-option>
       <module-option
       name="usersProperties">
       SELECT password for principals WHERE principalId=?
       </module-option>
       <module-option
       name="rolesProperties">
       SELECT role as Roles, roleGroup as RoleGroups from roles where principalId=?
       </module-option>
       </login-module>
       </authentication>
       </application-policy>
      </policy>
      
      



      and my jboss-web.xml under the WEB-INF folder:

      
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">
      <jboss-web>
       <security-domain>java:/jaas/jaastest</security-domain>
      </jboss-web>
      
      
      


      and i added the following lines to my web.xml:

      
       <!-- JAAS Security Configurations -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>All resources</web-resource-name>
       <description>Protects all resources</description>
       <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>Admin</role-name>
       </auth-constraint>
       </security-constraint>
      
       <security-role>
       <role-name>Admin</role-name>
       </security-role>
      
       <security-role>
       <role-name>User</role-name>
       </security-role>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>JaasTestRealm</realm-name>
       </login-config>
      
      




      My EAR file is as follows:

      seamapp.ear:
      - META-INF
      - seamapp.war
      - seamapp.ejb3
      - login-config.xml
      - jboss-service.xml





      Though the Authentication works, i am redirected to the correct page but the following error message is displayed:

      HTTP Status 403 - Access to the requested resource has been denied
      
      --------------------------------------------------------------------------------
      
      type Status report
      
      message Access to the requested resource has been denied
      
      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
      
      
      



      Can anyone help me with wats wrong in the configs ??


      Also i would like to be able to have the all the logs of the DatabaseServerLoginModule. Until now i am only able to have the log when there a wrong password has been input for a correct username which is as follows:

      09:46:30,781 DEBUG [DatabaseServerLoginModule] Bad password for username=Yogesh
      




      Regards,
      Jankee Yogesh
      http://www.m-itc.net

        • 1. Re: Error 403 when using DatabaseServerLoginModule
          jaikiran

           

          Also i would like to be able to have the all the logs of the DatabaseServerLoginModule.


          Have a look at Q4 at:

          http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

          to enable TRACE level logs of jboss security package.



          • 2. Re: Error 403 when using DatabaseServerLoginModule

            Hello jaikiran,
            Thnx for helping me with the debugging.....I managed to get the logs...Wat i fail to understand is why is the user role not assigned to the principal ??


            
            20:01:05,265 TRACE [jaastest] Begin isValid, principal:admin, cache info: null
            20:01:05,265 TRACE [jaastest] defaultLogin, principal=admin
            20:01:05,265 TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(jaastest), size=10
            20:01:05,265 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(jaastest), authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:name=rolesProperties, value=SELECT role from roles where principalId=?
            name=usersProperties, value=SELECT password for principals WHERE principalId=?
            name=dsJndiName, value=java:/jaastestDatasource
            
            20:01:05,265 DEBUG [WebappClassLoader] loadClass(org.jboss.security.auth.spi.DatabaseServerLoginModule, false)
            20:01:05,265 DEBUG [WebappClassLoader] Searching local repositories
            20:01:05,265 DEBUG [WebappClassLoader] findClass(org.jboss.security.auth.spi.DatabaseServerLoginModule)
            20:01:05,265 DEBUG [WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@188689a
            20:01:05,265 DEBUG [WebappClassLoader] Loading class from parent
            20:01:05,265 DEBUG [WebappClassLoader] loadClass(org.jboss.util.naming.NonSerializableFactory, false)
            20:01:05,265 DEBUG [WebappClassLoader] Searching local repositories
            20:01:05,265 DEBUG [WebappClassLoader] findClass(org.jboss.util.naming.NonSerializableFactory)
            20:01:05,265 DEBUG [WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@188689a
            20:01:05,265 DEBUG [WebappClassLoader] Loading class from parent
            20:01:05,281 TRACE [jaastest] defaultLogin, lc=javax.security.auth.login.LoginContext@d72e3f, subject=Subject(18693899).principals=org.jboss.security.SimplePrincipal@17050661(admin)org.jboss.security.SimpleGroup@12759622(Admin(members:Admin))
            20:01:05,281 TRACE [jaastest] updateCache, inputSubject=Subject(18693899).principals=org.jboss.security.SimplePrincipal@17050661(admin)org.jboss.security.SimpleGroup@12759622(Admin(members:Admin)), cacheSubject=Subject(18223014).principals=org.jboss.security.SimplePrincipal@17050661(admin)org.jboss.security.SimpleGroup@12759622(Admin(members:Admin))
            20:01:05,281 TRACE [jaastest] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15d84e0[Subject(18223014).principals=org.jboss.security.SimplePrincipal@17050661(admin)org.jboss.security.SimpleGroup@12759622(Admin(members:Admin)),credential.class=java.lang.String@31598780,expirationTime=1162571435218]
            20:01:05,281 TRACE [jaastest] End isValid, true
            20:01:05,281 TRACE [JBossSecurityMgrRealm] User: admin is authenticated
            20:01:05,281 TRACE [SecurityAssociation] pushSubjectContext, subject=Subject:
             Principal: admin
             Principal: Admin(members:Admin)
            , sc=org.jboss.security.SecurityAssociation$SubjectContext@becf73{principal=admin,subject=19247740}
            20:01:05,281 TRACE [jaastest] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15d84e0[Subject(18223014).principals=org.jboss.security.SimplePrincipal@17050661(admin)org.jboss.security.SimpleGroup@12759622(Admin(members:Admin)),credential.class=java.lang.String@31598780,expirationTime=1162571435218]
            20:01:05,281 TRACE [JBossSecurityMgrRealm] Mapped from input principal: adminto: admin
            20:01:05,281 TRACE [SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@becf73{principal=admin,subject=19247740}
            20:01:05,281 TRACE [jaastest] getUserRoles, subject: Subject:
             Principal: admin
             Principal: Admin(members:Admin)
            
            20:01:05,281 TRACE [JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[admin()]
            20:01:05,281 DEBUG [AuthenticatorBase] Authenticated 'admin' with type 'BASIC'
            20:01:05,281 DEBUG [AuthenticatorBase] Calling accessControl()
            20:01:05,281 TRACE [JBossSecurityMgrRealm] Checking roles GenericPrincipal[admin()]
            20:01:05,281 DEBUG [RealmBase] Username admin does NOT have role user
            20:01:05,281 TRACE [JBossSecurityMgrRealm] No role found: user
            20:01:05,281 TRACE [JBossSecurityMgrRealm] Checking for all roles mode: authOnly
            20:01:05,281 DEBUG [AuthenticatorBase] Failed accessControl() test
            20:01:05,281 TRACE [SecurityAssociation] clear, server=true
            
            



            Is something missing in my configs, bcoz the correct user seams to be authenticated .....its only the user role which is not being found ??


            Thnx in advance.


            Regards,
            Jankee Yogesh
            http://www.m-itc.net

            • 3. Re: Error 403 when using DatabaseServerLoginModule
              jaikiran

              In your login-config.xml:

              <module-option
               name="usersProperties">
               SELECT password for principals WHERE principalId=?
               </module-option>
               <module-option
               name="rolesProperties">
               SELECT role as Roles, roleGroup as RoleGroups from roles where principalId=?
               </module-option>


              Note the properties marked in bold. They are incorrect. You should be having:

              <module-option name = "principalsQuery">your query</module-option>
              
               <module-option name = "rolesQuery"> your query </module-option>




              • 4. Re: Error 403 when using DatabaseServerLoginModule
                jaikiran

                Hang on a moment, even though the properties that you mentioned in the config are wrong, JBoss fires the default queries for the users and roles. Your logs mention:

                20:01:05,281 DEBUG [RealmBase] Username admin does NOT have role user
                20:01:05,281 TRACE [JBossSecurityMgrRealm] No role found: user


                So does your roles table map the 'admin' user to the 'user' role? In other words, does the admin user have the user role. Looks like you are trying to access a resource which is allowed to be accessed only by users having the role 'user'





                • 5. Re: Error 403 when using DatabaseServerLoginModule

                  Hello ,
                  As it seems, the query for principals is working, with users being correctly authenticated ...its only the second query that is posing problems !! The User Admin has the role Admin in the database and the role constraint has been set as Admin in the web.xml for this resource.

                  I suspect the user is not being authorized correctly because the he has no role bound !! But i cannot figure out why ?? Do you have any configs that is working along with a sample db structure.....I am using the a simple db structure like this (found this out one from a wiki !!)

                  Principals Table
                  ==========
                  
                  PrincipalId varchar(255), PRIMARY
                  Password varchar(255),
                  
                  
                  Roles Table
                  =======
                  PrincipalId varchar(255), PRIMARY
                  Role varchar(255),
                  RoleGroup varchar(255)
                  
                  


                  Regards,
                  Jankee Yogesh
                  http://www.m-itc.net

                  • 6. Re: Error 403 when using DatabaseServerLoginModule
                    jaikiran

                    You mentioned, your web.xml contains:

                    <security-constraint>
                     <web-resource-collection>
                     <web-resource-name>All resources</web-resource-name>
                     <description>Protects all resources</description>
                     <url-pattern>/*</url-pattern>
                     </web-resource-collection>
                     <auth-constraint>
                     <role-name>Admin</role-name>
                     </auth-constraint>
                     </security-constraint>
                    
                     <security-role>
                     <role-name>Admin</role-name>
                     </security-role>
                    
                     <security-role>
                     <role-name>User</role-name>
                     </security-role>
                    
                     <login-config>
                     <auth-method>BASIC</auth-method>
                     <realm-name>JaasTestRealm</realm-name>
                     </login-config>


                    Is this exactly what your web.xml contains? The security-role elements should be after the login-config element in the web.xml as per the dtd.


                    • 7. Re: Error 403 when using DatabaseServerLoginModule
                      jaikiran

                      I tried your example and it did not work even in my case. Did some changes and it started working. Here's what i did:

                      1) Change the schema of the tables:

                      User table:
                      
                      CREATE TABLE `users` (
                       `userid` varchar(255) NOT NULL default '',
                       `Password` varchar(255) NOT NULL default '',
                       PRIMARY KEY (`userid`)
                      ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
                      
                      Roles table:
                      
                      CREATE TABLE `roles` (
                       `roleid` varchar(255) NOT NULL default '',
                       `userid` varchar(255) NOT NULL default '',
                      
                       PRIMARY KEY (`roleid`)
                      ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
                      
                      Data in the tables:
                      
                      insert into users values ('user','user');
                      insert into users values ('Admin','admin');
                      
                      insert into roles values('Admin','Admin');
                      insert into roles values('user','User');
                      


                      2) Change the contents in the login-config.xml to:

                      <application-policy name = "jaastest">
                       <authentication>
                       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                       flag = "required">
                       <module-option name = "dsJndiName">java:/jaastestDatasource</module-option>
                       <module-option name = "principalsQuery">select Password from users where userid=?</module-option>
                       <module-option name = "rolesQuery">select roleid, 'Roles' from Roles where userid=?</module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      


                      Thats it. No changes to any other files. This worked for me.

                      Let us know, if you still have any issues.

                      • 8. Re: Error 403 when using DatabaseServerLoginModule

                        Thnx for helping .... It worked


                        Regards,
                        Regards,
                        Jankee Yogesh
                        http://www.m-itc.net

                        • 9. Re: Error 403 when using DatabaseServerLoginModule

                          Hello,
                          First of all ....Loads of thnx for the previous help ;0)

                          I have a new issue with JAAS which i hope you might enlighten me on...I am rather new to this but i must say that it works great !!


                          I am using Seam, Hibernate, Ajax and Facelet to build a web application ... I have two questions (seemingly newbie questions ;0)):


                          (1) The XHTML file is not displayed correctly when the following code is used:

                          <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
                           "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
                          <html xmlns="http://www.w3.org/1999/xhtml"
                           xmlns:s="http://jboss.com/products/seam/taglib"
                           xmlns:ui="http://java.sun.com/jsf/facelets"
                           xmlns:f="http://java.sun.com/jsf/core"
                           xmlns:h="http://java.sun.com/jsf/html"
                           xmlns:si="http://sourceforge.net/projects/easysi"
                           xmlns:t="http://myfaces.apache.org/tomahawk">
                          
                          <body>
                          
                          <ui:composition template="template.xhtml">
                          
                          
                          
                           <ui:define name="topnav">
                          
                           </ui:define>
                          
                           <ui:define name="container">
                           <f:loadBundle basename="Login" var="LoginBundle" />
                           <div class="formContainer">
                          
                           <f:view>
                          
                          
                           <form method="POST" action="j_security_check">
                           User Name: <input type="text" name="j_username" /><br />
                           Password: <input type="password" name="j_password" /><br />
                          
                           <input type="submit" value="Login" />
                           </form>
                          
                           </f:view>
                          
                           </div>
                          
                          
                          
                          
                           </ui:define>
                          
                          </ui:composition>
                          </body>
                          </html>
                          



                          It seems that the page is not correctly rendered when the above code is used. I have come across Custom JAAS Login Modules but would like to know if there a simple way first before implementing this !!




                          (2) I need to display certain links only if the User has Admin priviledges...How can i Check which UserRole has been assigned to the session in the XHTML file itself like this

                           <h:commandLink value="Admin Interface" action="#{AdminBean.dosomething} rendered="###"/>
                          


                          where ### should be the condition to check








                          Regards,
                          Jankee Yogesh
                          http://www.m-itc.net


                          • 10. Re: Error 403 when using DatabaseServerLoginModule
                            jaikiran

                            I havent used Seam and Facelets and am ill-equipped to give you the exact answers.

                            It seems that the page is not correctly rendered when the above code is used.

                            Any errors that you are seeing when the page is rendered?

                            I have come across Custom JAAS Login Modules but would like to know if there a simple way first before implementing this !!


                            Going by what you have mentioned so far in this thread, i dont see a need for you to implement a Custom JAAS login module.

                            I need to display certain links only if the User has Admin priviledges...How can i Check which UserRole has been assigned to the session in the XHTML file itself like this
                            where ### should be the condition to check


                            As i already mentioned, i dont know how you will do it in that XHTML page, but here's what you can do using the request object:

                            String userName = request.getRemoteUser; //will give you the user who has logged in, if any
                            
                            if (request.isUserInRole("Admin") ) {
                             System.out.println("User: " + userName + " has admin privilege");
                            } else {
                             System.out.println("User: " + userName + " does NOT have admin privilege");
                            }
                            



                            Have a look at:
                            http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()
                            and
                            http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)
                            for more details.