7 Replies Latest reply on Nov 9, 2008 11:01 AM by jaikiran

    Cannot get JAAS to work

    henkie.maritz

      Hi there

      I'm new to JBoss and did configure some web pages to work through JAAS, but I get an exception.
      Two questions:
      1. What am I doing wrong?
      2. How can I debug this to see which of the various steps are wrong?

      Any help will be much appreciated.

      Regards

      Here's the detail:
      JDK 1.5
      JBoss 4.2.2

      Here is my web.xml file extract:
      <security-constraint>
      <display-name>Admin</display-name>
      <web-resource-collection>
      DepotList page
      <web-resource-name>DepotList</web-resource-name>
      <url-pattern>/faces/DepotList.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      System administrator
      <role-name>Administrator</role-name>
      </auth-constraint>
      </security-constraint>
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>OrderSystemJaasDbRealm</realm-name>
      </login-config>
      <security-role>
      System administrator
      <role-name>Administrator</role-name>
      </security-role>
      <security-role>
      Depot user
      <role-name>User</role-name>
      </security-role>


      Here is my jboss-web.xml file extract:
      <jboss-web>
      <security-domain>java:/jaas/OrderSystemJaasDbRealm</security-domain>
      </jboss-web>


      In folder jboss-4.2.2.GA\server\default\conf I have the following two files:
      iits-login-config-service.xml



      iits-login-config.xml
      <depends optional-attribute-name="LoginConfigService">
      jboss.security:service=XMLLoginConfig

      <depends optional-attribute-name="SecurityManagerService">
      jboss.security:service=JaasSecurityManager





      iits-login-config.xml



      <application-policy name = "OrderSystemJaasDbRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "password-stacking">useFirstPass</module-option>
      <module-option name = "dsJndiName">java:/MYDBDS</module-option>
      <module-option name = "principalsQuery">SELECT PASSWORD FROM USER WHERE NAME=?</module-option>
      <module-option name = "rolesQuery">SELECT ROLE.NAME, 'Roles' FROM USER, ROLE WHERE USER.NAME=? AND USER.ROLE_ID = ROLE.ID</module-option>
      </login-module>

      </application-policy>



      I get the following exception when I entered the user name and password:\

      23:10:08,125 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
      at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
      at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
      at java.lang.Thread.run(Thread.java:595)




        • 1. Re: Cannot get JAAS to work
          ragavgomatam

           

          3:10:08,125 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
          java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
          at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)


          Your login-config.xml appears to be using the UsersRolesLoginModule. It is NOT using the DatabaseServerLoginModule. Can you verify the login-config.xml once again ?

          • 2. Re: Cannot get JAAS to work
            henkie.maritz

            I was under the impression that the iits-login-config.xml will be used instead of the default login-config.xml. I did not change login-config.xml at all.

            I see that the following is defined in the login-config.xml:

            <!-- The default login configuration used by any security domain that
            does not have a application-policy entry with a matching name
            -->
            <application-policy name = "other">
            <!-- A simple server login module, which can be used when the number
            of users is relatively small. It uses two properties files:
            users.properties, which holds users (key) and their password (value).
            roles.properties, which holds users (key) and a comma-separated list of
            their roles (value).
            The unauthenticatedIdentity property defines the name of the principal
            that will be used when a null username and password are presented as is
            the case for an unuathenticated web client or MDB. If you want to
            allow such users to be authenticated add the property, e.g.,
            unauthenticatedIdentity="nobody"
            -->

            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
            flag = "required" />

            </application-policy>

            So, you are right. But why does JBoss not pick up the policy defined as setout in the first post?

            • 3. Re: Cannot get JAAS to work
              henkie.maritz

              Or should I define my policy rather in the login-config.xml?

              • 4. Re: Cannot get JAAS to work
                jaikiran

                 

                "henkie.maritz@iits" wrote:
                Or should I define my policy rather in the login-config.xml?


                You have 2 options:

                1) Add your application policy in the %JBOSS_HOME%/server/< serverName>/conf/login-config.xml

                2) Or if you want to have your own config xml then follow these steps http://www.jboss.org/community/docs/DOC-9611


                • 5. Re: Cannot get JAAS to work
                  henkie.maritz

                  I've tried option 1 in order to make progress. It works nice. Thanks.
                  I've read the linked article and still wonder what I did wrong with my first attempt: Defining an MBean (iits-login-config-service.xml) that will configure the LoginService (iits-login-config.xml).

                  • 6. Re: Cannot get JAAS to work
                    henkie.maritz

                    OK, I've got my web security working nice with JAAS form based authentication. BUT.

                    If I access an unauthorised web resource - as the logged on user - I get the following browser error:

                    HTTP Status 403 - Access to the requested resource has been denied

                    This is displayed similar to a page not found browser error.

                    How do I catch and display this error neatly (More professional - custom error message)?

                    I've searched a lot on the net - but did not fouond something.

                    Please assist.

                    • 7. Re: Cannot get JAAS to work
                      jaikiran

                      The web.xml has an element where you can specify which page to display on specific errors. Look at the web.xml dtd http://java.sun.com/dtd/web-app_2_3.dtd for details. Here's an example (which i haven't tested):

                      <error-page>
                       <error-code>403</error-code>
                       <location>MyCustomPage.jsp</location>
                      </error-page>