6 Replies Latest reply on Apr 12, 2010 9:37 PM by longbeach

    Role Authorization problem with Custom Authenticator

    brengl Dec 3, 2007 10:13 AM

      Hello, I am writing a custom Authenticator class that collects credentials from a Siteminder SMSESSION cookie. I created a security domain called CustomSMAuth and assigned the SimpleServerLoginModule to it. According to JBoss doc, this authenticator assigns a role of 'user' if the username and password are the same value. That is the behavior I'm trying to get.

      I can confirm that the Authenticator is executed and is working, but access is denied based on the user role authorization. I'm not sure if my authenticator class should be doing something different, or if I have a configuration issue with JBoss. Any help would be appreciated!

      The authenticator, after retrieving the userid value, does the following:

      GenericPrincipal userPrincipal = new GenericPrincipal(context.getRealm(), userid.trim(),userid.trim());
      session.setAttribute(Constants.SESS_USERNAME_NOTE, userPrincipal);
      request.setUserPrincipal(userPrincipal);
      register(request, response, userPrincipal, "SMSESSION", userid.trim(), userid.trim());
      return true;

      my web.xml:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Success</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>

      <auth-constraint>
      <role-name>user</role-name>
      </auth-constraint>

      </security-constraint>


      <login-config>
      <auth-method>SMSESSION</auth-method>
      </login-config>

      <security-role>
      <role-name>user</role-name>
      </security-role>


      jboss-web.xml:

      <jboss-web>
      <security-domain>java:/jaas/CustomSMAuth</security-domain>
      </jboss-web>


      login-config.xml:
      <application-policy name="CustomSMAuth">

      <login-module code = "org.jboss.security.auth.spi.SimpleServerLoginModule"
      flag = "required">
      </login-module>

      </application-policy>


      and the log excerpt showing output from my authenticator and the authorization failure:

      2007-12-03 09:54:44,518 DEBUG [com.sas.smutil.SMSESSIONAuthenticator] Login return code: 1
      2007-12-03 09:54:44,518 DEBUG [com.sas.smutil.SMSESSIONAuthenticator] Validation Accepted, setting user principal
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'sasdemo' with type 'SMSESSION'
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[sasdemo()]
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.realm.RealmBase] Username sasdemo does NOT have role user
      2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
      2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking for all roles mode: authOnly
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
      2007-12-03 09:54:44,533 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] authType=SMSESSION
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentLength=-1
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentType=text/html;charset=utf-8
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] cookie=JSESSIONID=6F898FB15DD78EC4EEBC503B5593873C; domain=null; path=/
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Pragma=No-cache
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Cache-Control=no-cache
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Expires=Wed, 31 Dec 1969 19:00:00 EST
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Set-Cookie=JSESSIONID=6F898FB15DD78EC4EEBC503B5593873C; Path=/
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] message=Access to the requested resource has been denied
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteUser=sasdemo
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] status=403
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ===============================================================

      • 10970 Views
      • Tags:
        • 1. Re: Role Authorization problem with Custom Authenticator
          brengl Dec 3, 2007 2:53 PM (in response to brengl)

          I found one solution, though I'm not sure if this is the right solution.
          I used a different constructor for the GenericPrincipal that included a
          list of roles, which at the moment I just populated with a hardcoded role name, and it worked.

          I thought obtaining the role 'mapping' was a function of the login module, not the Authenticator? Apparently the Authenticator needs to include the roles in the user principal object.

            • Actions
          • 2. Re: Role Authorization problem with Custom Authenticator
            vparmar
            vparmar Feb 17, 2009 3:32 AM (in response to brengl)

            Hi brengl, anyone,

            This obviously is a newbie question so try to answer even if it sounds trivial. I am using JBoss-4.0.5-GA, JDK 1.5.



            Currently, I am in the process of writing a Custom Form Authenticator and have an idea how to do it in jakarta-tomcat-5.0.28. The reason I need a custom Authenticator is for obtaining extra information from the User via the Form. I also have to do the Authentication from a non-Database/ non-LDAP source using APIs. For which I believe I have to write a custom Login Module as well. The Authorization (Role-Mapping) will be available from a Database.

            My Question to you ( since you have taken the similar route)

            1) What are the configuration/settings required for JBoss?. Please specify/elaborate the contents for web.xml, jboss-service.xml.) From your original post I do some idea. However I would like to make sure nothing was omitted for brevity.

            2)Did you manually modify the catalina.jar ( Authenticator.properties) to enable JBoss to recognize the Custom Auth Method? If no, then how is it possible?
            3) Where to install the Custom Authenticator Jar?
            4) Any Gotchas one needs to be aware of?


            Any help is appreciated,

            Thanks in advance.

            vparmar

              • Actions
            • 3. Re: Role Authorization problem with Custom Authenticator
              brengl Feb 17, 2009 9:01 AM (in response to brengl)

              vparmar, I had forgotten that I made this inquiry, it seems you found a really old post. I appreciate the response though.

              What I ended up doing here was creating a custom LoginModule instead of an Authenicator class. That ended up doing what I needed. The way I set it up was to require that an HTTP server with a valid Siteminder agent be in front of JBoss as a reverse proxy. My LoginModule would then take the encrypted SMSESSION cookie from the HTTP server and I could validate it with the Siteminder Policy Server and retrieve identity and authorization information from the Policy Server in order to create a user Principal. If there is no valid SMSESSION cookie present the login fails.

              This doesn't create a true Siteminder 'agent' for JBoss, but it does allow integration with Siteminder through a reverse proxy.

                • Actions
              • 4. Re: Role Authorization problem with Custom Authenticator
                vparmar
                vparmar Feb 17, 2009 3:07 PM (in response to brengl)

                brengl,

                Thanks for the quick response. I understand your use case was better served with the custom login module after all.

                Your response did give me ideas on one of my future action items related to Siteminder.

                vparmar

                  • Actions
                • 5. Re: Role Authorization problem with Custom Authenticator
                  brengl Feb 17, 2009 3:34 PM (in response to brengl)

                  One more comment to clarify, I made no provision in my login module to obtain credentials, ie callbackhandler or anything like that. It strictly relied on a valid SMSESSION cookie. If it was available and valid it would succeed, otherwise it would fail.

                    • Actions
                  • 6. Re: Role Authorization problem with Custom Authenticator
                    longbeach
                    longbeach Apr 12, 2010 9:37 PM (in response to brengl)

                    Brian,
                    can you share the code of that custom LoginModule ?
                    And how did you set up this HTTP server with a valid Siteminder agent  in front of JBoss as a reverse proxy ?
                    Thanks.

                      • Actions