6 Replies Latest reply on Dec 9, 2006 12:03 PM by starksm64

    JAAS newbie - missing something that should be obvious

    grego1

      I'm using jboss-4.0.5.GA installed with the ejb3 "flavor". I'm using the default install.

      Playing around with securing some web content. I created a login.html page for now that has the proper fields: j_username & j_password. Its post action references j_security_check.

      jboss-web.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
       <security-domain>java:/jaas/SPDB</security-domain>
      </jboss-web>
      


      web.xml:
      <web-app>
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>All resources</web-resource-name>
       <description>Protects all resources</description>
       <url-pattern>/*</url-pattern>
      
      
       </web-resource-collection>
       <auth-constraint>
       <role-name>MyUser</role-name>
       </auth-constraint>
       </security-constraint>
      
       <security-role>
       <description>My User Role</description>
       <role-name>MyUser</role-name>
       </security-role>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>SPDB</realm-name>
       <form-login-config>
       <form-login-page>/login.html</form-login-page>
       <form-error-page>/error.html</form-error-page>
       </form-login-config>
       </login-config>
      </web-app>
      


      I've copied one of the other application-policy sections from login-config.xml trying to get some sort of response out of JBoss in the log files. This is what I've added in to login-config.xml right now (in $JBOSS_HOME/server/default/conf):
       <application-policy name = "SPDB">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/polarDS</module-option>
       <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
       <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      Here is what happens: when I hit the URL of a secured jsp page, the login page comes up as it should. When I type in the user name, pw and hit "login", I immediately get the error page.

      The JBoss console and log files don't even show a single message when I press "login" - let alone showing an entry that anything went wrong..

      In fact, the startup logs don't even mention the new application-policy (called "SPDB"); they should - shouldn't they?

      I'm left thinking that perhaps JAAS isn't even turned on. Being a newbie, I've poured through the documentation and can't find anything on "turning on" JAAS security - it appears to be turned on by default (am I wrong there?).

      I expect I'm missing something simple, and I would appreciate any pointers that you can provide...

      Thanks

        • 1. Re: JAAS newbie - missing something that should be obvious
          jaikiran

           

          <?xml version="1.0" encoding="UTF-8"?>
          <jboss-web>
           <security-domain>java:/jaas/SPDB</security-domain>
          </jboss-web>


          Change it to:
          <?xml version="1.0" encoding="UTF-8"?>
          <jboss-web>
           <security-domain>SPDB</security-domain>
          </jboss-web>


          and give it a try.

          • 2. Re: JAAS newbie - missing something that should be obvious
            grego1

             

            "jaikiran" wrote:
            Change it to:
            
            <?xml version="1.0" encoding="UTF-8"?>
            <jboss-web>
             <security-domain>SPDB</security-domain>
            </jboss-web>
            
            
            and give it a try.


            Ok - nice - that worked well! Thank you!!!

            One question on the next part. Now the error report from the jboss console says:
            14:23:52,491 ERROR [JBossSecurityMgrRealm] Error during authenticate
            javax.naming.NamingException: Could not dereference object [Root exception is javax.naming.NameNotFoundException: SPDB not bound]
            
            


            But the login-config.xml file clearly has the SPDB section in it... Do I need to expressly tell JAAS about the new application pollicy? <and I have restarted jboss after adding the section to the login-config.xml file>

            Should I be moving the EJB security-domain over to that as well? as in (jboss.xml):
            <jboss>
             <security-domain>java:/jaas/SPDB</security-domain>
            </jboss>
            


            Thanks.

            • 3. Re: JAAS newbie - missing something that should be obvious
              jaikiran

               

              Should I be moving the EJB security-domain over to that as well?


              Yes you will have to change the jboss.xml as well. It should look like:
              <jboss>
               <security-domain>SPDB</security-domain>
              </jboss>


              But going by the NameNotFound exception that you have mentioned i guess there something else that's failing. Let us know if even after this change to jboss.xml, you are running into problems

              • 4. Re: JAAS newbie - missing something that should be obvious
                grego1

                Right - same problem (NameNotFoundException) after changing jboss.xml and jboss-web.xml to a security-domain of SPDB instead of "java:/jaas/SPDB"...

                I'm going to dig into that and see why login-config.xml is (seemingly) not being read.

                I'm not sure I fully understand the relationship between login-config.xml and client/auth.conf yet. I'm going to see if I can find more documentation on that. I have tried this both with an entry for SPDB in auth.conf and without an entry there, and it doesn't make a difference either way...

                • 5. Re: JAAS newbie - missing something that should be obvious
                  grego1

                  From the jmx-console, the SecurityConfig mbean is clearly set up with LoginConfig set to: jboss.security:service=XMLLoginConfig

                  And (again from the jmx-console) XMLLoginConfig has ConfigURL correctly pointing to:
                  file:/opt/jboss/jboss-4.0.5.GA/server/default/conf/login-config.xml

                  One question: should the URL be file://opt... ???

                  • 6. Re: JAAS newbie - missing something that should be obvious
                    starksm64

                     

                    "grego@spiekerpoint.com" wrote:

                    I'm not sure I fully understand the relationship between login-config.xml and client/auth.conf yet. I'm going to see if I can find more documentation on that. I have tried this both with an entry for SPDB in auth.conf and without an entry there, and it doesn't make a difference either way...

                    There is no relationship other than that credentials obtained from the client jaas configuration(auth.conf) are propagated to the server by the invocation transport and need to be valid in the target ejb security domain jaas config(login-config.xml).

                    See:
                    http://docs.jboss.com/jbossas/guides/j2eeguide/r2/en/html_single/#ch8.chapter