Jboss 5 Strange Login Issues with WebAuthenticate
yoblin Dec 2, 2008 5:06 PMI'm porting a login system from Jboss 4 to Jboss 5 and having a strange issue. When the login credentials are wrong, everything works fine (no exceptions, login fails), but when the login credentials are correct the user is authenticated fine but then an exception is thrown after the user is authenticated:
java.lang.IllegalStateException: Application Policy is null for the security domain:java:jaas/portal-rsa at org.jboss.security.plugins.mapping.JBossMappingManager.getMappingContext(JBossMappingManager.java:74) at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:391) at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:363) at org.jboss.security.plugins.JBossAuthorizationManager.getUserRoles(JBossAuthorizationManager.java:215) at org.jboss.security.plugins.auth.JaasSecurityManagerBase.getUserRoles(JaasSecurityManagerBase.java:457) at org.jboss.security.plugins.JaasSecurityManager.getUserRoles(JaasSecurityManager.java:200) at org.jboss.web.tomcat.security.JBossWebRealm.getCachingPrincipal(JBossWebRealm.java:662) at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:409) at org.jboss.web.tomcat.security.login.WebAuthentication.login(WebAuthentication.java:93) at com.prod.portal.mvc.servlet.AuthenticateServlet.doPost(AuthenticateServlet.java:86) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302) at com.prod.portal.mvc.servlet.PortalLoginServlet.doGet(PortalLoginServlet.java:18) at com.prod.portal.mvc.servlet.PortalLoginServlet.doPost(PortalLoginServlet.java:23) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
I don't see how the application policy is possibly null, because the whole thing works great when the credentials are wrong, and I can see my login extension getting called.
Below I have the relevant code and config files.
---------------
jboss-web.xml:
<jboss-web> <context-root>prod</context-root> <security-domain>java:jaas/portal</security-domain> </jboss-web>
web.xml:
<!-- snip --> <servlet> <servlet-name>AuthenticateServlet</servlet-name> <servlet-class> com.prod.portal.mvc.servlet.AuthenticateServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name>login-servlet</servlet-name> <url-pattern>/auth/servlet/login</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AuthenticateServlet</servlet-name> <url-pattern>/auth/servlet/AuthenticateServlet</url-pattern> </servlet-mapping> <session-config> <session-timeout>30</session-timeout> </session-config> <security-constraint> <web-resource-collection> <web-resource-name>MVC Application</web-resource-name> <url-pattern>/secure/*</url-pattern> <url-pattern>/flex/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description> Only allow Authenticated_users role </description> <role-name>authenticatedUser</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>authenticatedUser</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/public/login.jsp</form-login-page> <form-error-page>/public/login.jsp</form-error-page> </form-login-config> </login-config> <welcome-file-list> <welcome-file>auth/servlet/login</welcome-file> </welcome-file-list> </web-app>
LDAP Extension Module:
@Override protected void rolesSearch(final InitialLdapContext ctx, final SearchControls constraints, final String user, final String userDN, final int recursionMax, final int nesting) throws NamingException { _log.debug("in rolesSearch in LDAP extension."); Group[] groups; try { groups = getRoleSets(); final SimpleGroup sg = (SimpleGroup) groups[0]; sg.addMember(new SimplePrincipal("authenticatedUser")); } catch (final LoginException e) { _log.error("Error"); } } }
login-config.xml:
<policy> <application-policy name="portal"> <authentication> <login-module code="com.prod.portal.security.loginmodule.ProdLdapExtLoginModule" flag="required"> <!-- MODULE OPTIONS SNIPPED --> </login-module> </authentication> </application-policy> </policy>
Authenticate Servlet:
@Override public void doPost(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { String view = null; final String uid = request.getParameter("username"); final String password = request.getParameter("password"); if (uid == null && password == null && token == null) { view = "/public/login.jsp"; } else { WebAuthentication pwl = new WebAuthentication(); pwl.login(uid, password); if(request.getUserPrincipal() == null || !(request.isUserInRole("authenticatedUser"))) { view = "/public/login.jsp"; } else { view = "/secure/main.html"; if (! (onUserLogon(request.getSession(), request))) { // Error logging in view = "/public/login.jsp"; } } } final RequestDispatcher rd = request.getSession().getServletContext().getRequestDispatcher(view); rd.forward(request, response); }