EJB Client and Digest Auth using same SecurityDomain
joff Jun 7, 2007 12:12 AMOk, I seem to have run into a bit of an issue with my application.
Firstly, I have an application-policy set up in login-config.xml, and configured with the web-tier, such that in order to access any servlets (actually web services), it requires DIGEST authentication (looked up in the database)
Here is the login-config.xml. Everything else in it is as per default:
<application-policy name="MyDomain"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "dsJndiName">java:/myDS</module-option> <module-option name = "principalsQuery">SELECT password_hash FROM auth WHERE user_id=?</module-option> <module-option name = "rolesQuery">SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=?</module-option> <module-option name = "hashAlgorithm">MD5</module-option> <module-option name = "hashEncoding">rfc2617</module-option> <module-option name = "hashUserPassword">false</module-option> <module-option name = "hashStorePassword">true</module-option> <module-option name = "passwordIsA1Hash">true</module-option> <module-option name = "storeDigestCallback">org.jboss.security.auth.spi.RFC2617Digest</module-option> </login-module> </authentication> </application-policy>
These services access EJBs, which are set up thus:
@Stateful @Local(CategoriesManagerLocal.class) @SecurityDomain("MyDomain") @RolesAllowed({"Soap","Native"}) public class CategoriesManagerBean implements CategoriesManagerLocal {
This is working fine at the moment, HOWEVER, I also need to access these beans from an incoming JCA Resource Adapter (i.e. a custom TCP/IP protocol) which, as part of the protocol does it's own DIGEST authentication implementation. What I need to do, is programatically authenticate this user with the container, so that I can then access these same beans.
I had tried accessing them like this:
Properties env = new Properties(); env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.LoginInitialContextFactory"); env.setProperty(Context.PROVIDER_URL, "jnp://localhost:1099"); env.setProperty(Context.SECURITY_PROTOCOL, "MyDomain"); env.setProperty(Context.SECURITY_PRINCIPAL, String.valueOf(user.getId())); env.setProperty(Context.SECURITY_CREDENTIALS, user.getPasswordHash()); Context ctx = new InitialContext(env); CategoriesManagerLocal categoriesBean = (CategoriesManagerLocal) ctx.lookup("myapp/CategoriesManagerBean/local"); categoriesBean.doMyAction();
This, naturally fails, as I'm passing in the already hashed password (I cannot access the plaintext of it) from the database, as the credentials, but the settings in the application-policy mean that it will try and use that hashed data as the plaintext, and thus I get:
FATAL [com.myorg.myapp] Failed to login using protocol=MyDomain
So I tried to add a second application-policy, "MyDomainInternal" to login-config.xml, which has all the hashing options taken out, and referring to that in the SECURITY_PROTOCOL, which seems to authenticate the user ok, but then it seems to also check against the "MyDomain" policy, and fails. Is this because I have specified @SecurityDomain("MyDomain") on the EJB? There doesn't seem to be any way to define multiple domains on a bean.
Logfile with security TRACE options enabled follows:
2007-06-07 16:01:51,701 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(MyDomainInternal), size=10 2007-06-07 16:01:51,701 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(MyDomainInternal), authInfo=AppConfigurationEntry[ ]: [0] LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=rolesQuery, value=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? name=principalsQuery, value=SELECT password_hash FROM auth WHERE user_id=? name=dsJndiName, value=java:/myDS 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize, instance=@2036027929 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Security domain: FirstAlertGatewayInternal 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/myDS 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT password_hash FROM auth WHERE user_id=? 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendResume=true 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login 2007-06-07 16:01:51,703 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction 2007-06-07 16:01:51,704 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT password_hash FROM auth WHERE user_id=?, with username: 0 2007-06-07 16:01:51,705 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Obtained user password 2007-06-07 16:01:51,705 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User '0' authenticated, loginOk=true 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] getRoleSets using rolesQuery: SELECT role AS Role,"Roles" AS RoleGroup FROM role WH ERE user_id=?, username: 0 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction 2007-06-07 16:01:51,709 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=?, with username: 0 2007-06-07 16:01:51,710 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role Native 2007-06-07 16:01:51,710 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role Soap 2007-06-07 16:01:51,710 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction 2007-06-07 16:01:51,789 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null 2007-06-07 16:01:51,789 TRACE [org.jboss.security.plugins.JaasSecurityManager.MyDomain] Begin isValid, principal:null, cache info: null 2007-06-07 16:01:51,789 TRACE [org.jboss.security.plugins.JaasSecurityManager.MyDomain] defaultLogin, principal=null 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(MyDomain), size=10 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(MyDomain), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule ControlFlag: LoginModuleControlFlag: sufficient Options:name=hashEncoding, value=rfc2617 name=rolesQuery, value=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? name=principalsQuery, value=SELECT password_hash FROM auth WHERE user_id=? name=hashUserPassword, value=false name=passwordIsA1Hash, value=true name=hashAlgorithm, value=MD5 name=hashStorePassword, value=true name=storeDigestCallback, value=org.jboss.security.auth.spi.RFC2617Digest name=dsJndiName, value=java:/myDS 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize, instance=@5298117 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Security domain: MyDomain 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Password hashing activated: algorithm = MD5, encoding = rfc2617, charset = {default }, callback = null, storeCallback = org.jboss.security.auth.spi.RFC2617Digest 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/myDS 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT password_hash FROM auth WHERE user_id=? 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendResume=true 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Authenticating as unauthenticatedIdentity=null 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction 2007-06-07 16:01:51,792 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT password_hash FROM auth WHERE user_id=?, with username: null 2007-06-07 16:01:51,793 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Query returned no matches from db 2007-06-07 16:01:51,793 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction 2007-06-07 16:01:51,794 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort 2007-06-07 16:01:51,794 TRACE [org.jboss.security.plugins.JaasSecurityManager.FirstAlertGateway] Login failure javax.security.auth.login.FailedLoginException: No matching username found in Principals at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:152) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ...
Am I close, or totally barking up the wrong tree?