1 Reply Latest reply on Jan 8, 2008 4:21 PM by mcevikce

    Basic auth apache fronting JBoss!

    mcevikce Jan 8, 2008 1:17 PM

      Our webapp is deployed in JBoss which is fronted by apache web server.
      I have configured Basic authorization in my webapp and JBoss. When I do try to access the protected pages from http://localhost:8080/protected/testpage.jsp I get promoted to enter user name and password. Once everything is entered correctly I proceed to the page.

      Now the problem occurs when I try to access the same page from my web server URL(http://myserver.bfm.com/protected/testpage.jsp). Now I am prompted by web server realm to enter user name and password (I set my user name and password to be the same both on JBoss and apache). Once the I enter my credentials I am never prompted by JBoss to enter my credentials again. That can be understandable since the request already had my Basic auth but I get a NullpointerException on the JBoss with following stack trace:

      [08-01-2008 12:23:12.904] [3774275] [org.apache.catalina.connector.CoyoteAdapter] [ERROR] [TP-Processor3] An exception or error occurred in the container du
      ring the request processing
      java.lang.NullPointerException
      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.hasRole(JBossSecurityMgrRealm.java:286)
      at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:763)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:464)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:307)
      at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:385)
      at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:748)
      at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:678)
      at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:871)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
      at java.lang.Thread.run(Thread.java:595)


      Any ideas to why I am getting this exception everytime I try to access the protected page from my web server. I need to do this to protect access from both localhost or web server.

      • 1625 Views
      • Tags:
        • 1. Re: Basic auth apache fronting JBoss!
          mcevikce Jan 8, 2008 4:21 PM (in response to mcevikce)

          After doing some extra digging this is what I found out.
          JBossSecurityMgrRealm created a roleMap keyed by principal(SimplePrincipal) . When user only get authenticated bu JBoss, request does not contain principle therefore authenticate method is called in JBossSecurityMgrRealm. Here SimplePrincipal object is created by the passed in user name and then roles lookup by this key.

          BUT!!! If user get initially authenticated by the web server(apache) then CayoteInvoker that handles request for tomcat sees that user exist in request then creates a CayotePrincipal with in a request. Now the authenticate of JBossSecurityMgrRealm is NOT called. Role look up fails because roles are keyed by SimplePrincipal and look up is done with CayotePrincipal object.

          I hope what I said makes sense to everyone. But this is causing a problem for us. I am sure someone else ran into this before. How do we get around it?

            • Actions