6 Replies Latest reply on Aug 6, 2008 9:03 AM by dlofthouse

Another SPNEGO Problem

chausberger Aug 5, 2008 6:47 AM

Hello

after all tests with the JBoss Negotiation Toolkits pass, I tried to add SPNEGO to my own application.
I left the login-config as it is and configured web.xml and jboss-web.xml in my app exactly the same way as those in the negotiation toolkit.

now I get this error from the web server:
This request requires HTTP authentication ().

in the log file, I found this:

12:37:10,051 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)

It seems that the UserRolesLoginModule can't find the "props/spnego-users.properties" and "props/spnego-roles.properties" as specified in the login-config.xml.

what could be the problem here? is the "conf" directory always in the class path?

my appliaction is a "ear" with many servlets and EJBs.

any hints welcome.

Claus

1. Re: Another SPNEGO Problem

dlofthouse Aug 5, 2008 6:59 AM (in response to chausberger)

Do you still have the TRACE logging enabled that you had enabled earlier?

I would say have a look at the server.log to first confirm that it is using the correct security domain, just double check that it has not fallen back to using the other domain.
Actions
2. Re: Another SPNEGO Problem

chausberger Aug 5, 2008 7:45 AM (in response to chausberger)

It seems as the security domain is indeed "other".
there are a lot of the following log messages in the server.log.

No security-domain given, using default: java:/jaas/other

But I've specified the SPNEGO security domain. Do I have to specify it in some other file, too?

Claus
Actions
3. Re: Another SPNEGO Problem

chausberger Aug 5, 2008 8:57 AM (in response to chausberger)

I've added the security domain to jboss.xml (in addition to jboss-web.xml), but the error remains.

Claus
Actions
4. Re: Another SPNEGO Problem

dlofthouse Aug 5, 2008 11:27 AM (in response to chausberger)

Does your ear have a jboss-app.xml? Can you check the security domain in there?
Actions
5. Re: Another SPNEGO Problem

chausberger Aug 6, 2008 7:39 AM (in response to chausberger)

thanks for the tip. I didn't know about jboss-app.xml. Now it seems to work and I can access the principal in my struts action.

Is my assumption correct that after a successful SPNEGO authentication I can always get the principal with the "getUserPrincipal" method of the HttpServletRequest object?
and is the principal null if the authentication failed?

that behaviour would be exactly what I need to display the user a form with a login when SPNEGO failed or is not configured.

Claus
Actions
6. Re: Another SPNEGO Problem

dlofthouse Aug 6, 2008 9:03 AM (in response to chausberger)

Please have a look at

http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4169032#4169032

Falback mechanisms is something I am currently considering at the moment.

The issue here is that with SPNEGO the authentication process is completely managed by the container, if you provide your own login form then you are reducing the involvement of the container.

There is an option for programatic authentication if you have obtained the username and password from the user but then there is an issue as the security domain for the web application only supports SPNEGO and not username / password authentication.

This is a problem I am currently working on so hopefully will have some progress shortly.
Actions

Go to original post