3 Replies Latest reply on Mar 28, 2008 11:27 AM by jgilmore

    Arrggh!  JAAS Policy File with JBOSS - Please Help!

    jgilmore
    jgilmore Dec 11, 2007 10:59 AM

      My application security runs great in Tomcat but when I run it in JBoss it doesn't work.

      I have deployed a DynamicLoginConfig MBean to specify the location of my custom login-config.xml:

      jboss-service.xml:

      <server>

 <!-- JG:
 Added this mbean so that jboss will look first in META-INF for the login config before looking in the config directory
 of the jboss root-->
 <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="jboss:service=DynamicLoginConfig">
 <attribute name="AuthConfig">META-INF/jboss-login-config.xml</attribute>
 <!-- The service which supports dynamic processing of login-config.xml
 configurations.
 -->
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <!-- Optionally specify the security mgr service to use when
 this service is stopped to flush the auth caches of the domains
 registered by this service.
 -->
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>
</server>


      Where jboss-login-config.xml looks like this: 

      <policy>

 <application-policy name="CustomerAdmin">
 <authentication>
 <login-module code="com.ftid.custadmin.security.HibernateLoginModule" flag="required">
 <module-option name="policy">META-INF/ClientAdmin.policy</module-option>
 </login-module>
 </authentication>
 </application-policy>

</policy>


      This works great, when logging into my application on JBoss my custom HibernateLoginModule class is called. However, I have a JAAS Policy file that looks like this.. 

      
grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_customer" {
 permission com.ftid.custadmin.security.ViewIdPermission "/client/clientsView.*";
 permission com.ftid.custadmin.security.ViewIdPermission "/client/clientLandingPage.*";
};

grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_update_customer" {
 permission com.ftid.custadmin.security.ViewIdPermission "/client/clientEdit.*";
};

etc.


      How do I get the JBoss SecurityManager to read this JAAS policy file??

      In tomcat I simply had to do the following which works very well: 

      System.setProperty("java.security.auth.login.config", sc.getRealPath("/WEB-INF/jaas.properties"));
System.setProperty("java.security.auth.policy", sc.getRealPath("/WEB-INF/ClientAdmin.policy"));
SecurityManager sm = System.getSecurityManager();
.
.
.
Permission perm = new ViewIdPermission("/client/clientEdit");
sm.checkPermission(perm);


      When this code runs in JBoss an AccessControlException is thrown. It seems that JBoss creates it's own SecurityManager that hasn't been set up using my Policy file.

      HOW DO I GET JBOSS TO READ MY POLICY FILE ?? Please Help!!


      • 3728 Views
      • Tags:
        • 1. Re: JAAS Policy File with JBOSS - Please Help!
          jgilmore
          jgilmore Dec 12, 2007 11:26 AM (in response to jgilmore)

          I have now added the following line to the JAVA_OPTS section of run.bat

          -Djava.security.manager -Djava.security.policy=server.policy


          Next time I started JBoss I received the following error: 

          Failed to boot JBoss:
java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write) at java.security.AccessControlContext.checkPermission(AccessControlConte
xt.java:264)
 at java.security.AccessController.checkPermission(AccessController.java:
427)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
 at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:
1252)
 at java.lang.System.getProperties(System.java:561)
 at org.jboss.Main.<init>(Main.java:86)
 at org.jboss.Main$1.run(Main.java:489)
 at java.lang.Thread.run(Thread.java:595)


          I solved this problem by placing the following in the server.policy file (which, for convenience, is currently placed in the bin directory). 

          grant {
permission java.security.AllPermission;
};


          So now my server starts. Great, I now know the the server.policy in the bin directory is being taken notice of. If I now put application specific permissions in the policy file like so: 

          grant {
permission java.security.AllPermission;
};

grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_customer" {
 permission com.ftid.custadmin.security.ViewIdPermission "/client/clientsView.*";
 permission com.ftid.custadmin.security.ViewIdPermission "/client/clientLandingPage.*";
};

grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_update_customer" {
 permission com.ftid.custadmin.security.ViewIdPermission "/client/clientEdit.*";
};


          It doesn't work, my application deployed onto JBoss simply gives access to all my subjects, no matter what principles they have assigned.

          Does anybody know how to get the application specific principal permissions loaded into the JBoss SecurityManager??

            • Actions
          • 2. Re: Arrggh!  JAAS Policy File with JBOSS - Please Help!
            ragavgomatam
            ragavgomatam Jan 6, 2008 7:09 PM (in response to jgilmore)

            Try adding your policies under $JBOSS_HOME/client/auth.conf

            Web container in jboss looks there & if authenticated passes the Subject seamlessly to ejb container.

              • Actions
            • 3. Re: Arrggh!  JAAS Policy File with JBOSS - Please Help!
              jgilmore
              jgilmore Mar 28, 2008 11:27 AM (in response to jgilmore)

              I am not using ejb.

                • Actions