10 Replies Latest reply on Jul 17, 2008 11:09 AM by oozoo

    JBoss won't load login-config from webapp

    oozoo

      Hi,

      I got 3 projects bundled together and deployed in a single EAR. In the web-project I have a web.xml with the following content

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Faces Servlet</web-resource-name>
      <description>
      The security configuration that only allows users with
      the role SSL Explorer Gateway to access the Radis
      console web application
      </description>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>1</role-name>
      <role-name>5</role-name>
      <role-name>9</role-name>
      </auth-constraint>

      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Radis-Console</realm-name>
      </login-config>

      <security-role>
      <description>Rolle normaler Benutzer</description>
      <role-name>1</role-name>
      </security-role>

      <security-role>
      <description>Rolle Stammdaten</description>
      <role-name>5</role-name>
      </security-role>

      <security-role>
      <description>Rolle Super User</description>
      <role-name>9</role-name>
      </security-role>


      I have the jboss-web.xml in the same folder

      <jboss-web>
      <security-domain>java:/jaas/MyTestApp</security-domain>
      </jboss-web>


      and the login-config is in the EAR project so it is deployed under /META-INF/ in the ear root directory.

      <policy>

      <application-policy name="MyTestApp">
      <authentication>
      <!-- Active directory configuration -->
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      (..)


      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="password-stacking">useFirstPass</module-option>
      </login-module>
      <!-- database configuration -->
      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="password-stacking">useFirstPass</module-option>

      (..)

      </login-module>
      </authentication>
      </application-policy>

      </policy>


      now it doesnt seem to load my login-config at all, it keeps trying to load the property files for the web-console application and when I remove that from the default login-config, apparently it doesnt do anything

      thanks in advance

        • 1. Re: JBoss won't load login-config from webapp
          celle2006

          Hi oozoo!

          I think you forgot to set the realm-name to value MyTestApp.

          So change:

          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>Radis-Console</realm-name>
          </login-config>


          to

          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>MyTestApp</realm-name>
          </login-config>


          I hope this will work.

          Greetz celle2006

          • 2. Re: JBoss won't load login-config from webapp
            alllle

             

            "celle2006" wrote:
            Hi oozoo!

            I think you forgot to set the realm-name to value MyTestApp.

            Greetz celle2006


            Hi, just want to post a quick comment to see if it will help.

            I think the realm element in web.xml file is only used to prompt for user name and password in the HTTP BASIC auth. It has nothing to do with the JBoss security domain.

            I think the problem is that the META-INF/login-config.xml is just a config file you put there and nothing instructs JBoss to load it. J2EE spec does not specify this file, this is a JBoss specific thing. and JBoss is only loading this file from the server_config/conf/ folder.

            So either you merge your policy into the server_config/conf/login-config.xml file, or you can do the following (not tested):

            jboss-app.xml:
            <?xml version="1.0" encoding="UTF-8"?>
            <jboss-app>
             <module>
             <service>jboss-service.xml</service>
             </module>
            </jboss-app>
            


            jboss-service.xml
            <?xml version="1.0" encoding="UTF-8"?>
            <server>
             <!-- hooking in a login module for the standalone version of JSF Forums -->
             <!-- The custom JAAS login configuration that installs
             a Configuration capable of dynamically updating the
             config settings
             -->
             <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
             name="jboss.security.tests:service=LoginConfig">
             <attribute name="AuthConfig">META-INF/security-config.xml</attribute>
             <depends optional-attribute-name="LoginConfigService">
             jboss.security:service=XMLLoginConfig
             </depends>
             <depends optional-attribute-name="SecurityManagerService">
             jboss.security:service=JaasSecurityManager
             </depends>
             </mbean>
            </server>
            


            and a META-INF/security-config.xml:
            <?xml version='1.0'?>
            <!DOCTYPE policy PUBLIC
             "-//JBoss//DTD JBOSS Security Config 3.0//EN"
             "http://www.jboss.org/j2ee/dtd/security_config.dtd">
            <policy>
            <application-policy name="MyTestApp">
            
            <!-- Active directory configuration -->
            <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            (..)
            
            
            <module-option name="roleFilter">(member={1})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleNameAttributeID">cn</module-option>
            <module-option name="password-stacking">useFirstPass</module-option>
            </login-module>
            <!-- database configuration -->
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
            <module-option name="password-stacking">useFirstPass</module-option>
            
            (..)
            
            </login-module>
            
            </application-policy>
            </policy>
            


            • 3. Re: JBoss won't load login-config from webapp
              oozoo

              awesome, that solved the problem :)

              however it still doesnt authenticate, here is the full security-config.xml, see anything wrong?

              <policy>

              <application-policy name="MyTestApp">
              <authentication>
              <!-- Active directory configuration -->
              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
              <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
              <module-option name="java.naming.provider.url">ldap://192.168.36.11:389/</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              <module-option name="bindDN">cn=SSL Explorer Gateway,ou=company,dc=company,dc=ch</module-option>
              <module-option name="bindCredential">password</module-option>
              <module-option name="baseCtxDN">OU=Company,DC=company,DC=ch</module-option>
              <module-option name="baseFilter">(sAMAccountName={0})</module-option>
              <module-option name="rolesCtxDN">,CN=SSL,OU=Company,DC=company,DC=ch</module-option>
              <module-option name="roleFilter">(member={1})</module-option>
              <module-option name="roleAttributeID">memberOf</module-option>
              <module-option name="roleAttributeIsDN">true</module-option>
              <module-option name="roleNameAttributeID">cn</module-option>
              <module-option name="password-stacking">useFirstPass</module-option>
              </login-module>
              <!-- database configuration -->
              <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
              <module-option name="password-stacking">useFirstPass</module-option>
              <module-option name="dsJndiName">java:/jdbc/Datasource</module-option>
              <module-option name="principalsQuery">select password from dba_users where username like upper(?)</module-option>
              <module-option name="rolesQuery">select priv, 'Roles' from mitarbstamm where manr like upper(?)</module-option>
              </login-module>
              </authentication>
              </application-policy>

              </policy>


              • 4. Re: JBoss won't load login-config from webapp
                oozoo

                Exception is

                javax.naming.InvalidNameException: ,CN=SSL,OU=Sybor,DC=syborag,DC=ch: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
                ',CN=SSL,OU=Company,DC=company,DC=ch'
                ]; remaining name ',CN=SSL,OU=Company,DC=company,DC=ch'
                at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
                at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
                at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
                at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
                at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
                at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
                at javax.naming.directory.InitialDirContext.search(Unknown Source)
                at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:421)
                at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:351)
                at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:232)
                at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                at java.lang.reflect.Method.invoke(Unknown Source)
                at javax.security.auth.login.LoginContext.invoke(Unknown Source)
                at javax.security.auth.login.LoginContext.access$000(Unknown Source)
                at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
                at javax.security.auth.login.LoginContext.login(Unknown Source)
                at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
                at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
                at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
                at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
                at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
                at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
                at java.lang.Thread.run(Unknown Source)


                • 5. Re: JBoss won't load login-config from webapp
                  oozoo

                  why cant I edit my own posts, this is annoying ignore the first line it should be ,CN=SSL,OU=Company,DC=company,DC=ch

                  • 6. Re: JBoss won't load login-config from webapp
                    alllle

                    It is invoking the jboss ldap authentication logic, but there is some problem between that class and your ldap server. I don't have much experiences on this and won't be able to help on this topic :(

                    • 7. Re: JBoss won't load login-config from webapp
                      oozoo

                       

                      "alllle" wrote:
                      It is invoking the jboss ldap authentication logic, but there is some problem between that class and your ldap server. I don't have much experiences on this and won't be able to help on this topic :(


                      no problem, its just that if I try to remove the first comma from the string, jboss adds it by himself and then I get the same error message - its weird, is this a jboss bug or am I doing something wrong

                      • 8. Re: JBoss won't load login-config from webapp
                        alllle

                        I would suggest you to grab the source and trace into it. That would be what I would be doing if I were you :)

                        • 9. Re: JBoss won't load login-config from webapp
                          oozoo

                          I've already done that. problem is I dont really understand ldap mechanics :D

                          apparently, the bad stuff happens right here

                          //JBAS-3438 : Handle "/" correctly
                          private String canonicalize(String searchResult)
                          {
                          String result = searchResult;
                          int len = searchResult.length();

                          if (searchResult.endsWith("\""))
                          {
                          result = searchResult.substring(0,len - 1)
                          + "," + rolesCtxDN + "\"";
                          }
                          else
                          {
                          result = searchResult + "," + rolesCtxDN;
                          }
                          return result;
                          }


                          I guess searchResult is empty somehow and so it ads a comma in front of the rolesCtxDN - but I dont even know if this makes the String invalid because there are examples with a comma at the beginning of the rolesCtxDN string.

                          Also I dont think I'd be the only person expiriencing this bug if it werent for a misconfiguration on my account :D

                          • 10. Re: JBoss won't load login-config from webapp
                            oozoo

                            not being able to edit posts is annoying (I repeat myself)