4 Replies Latest reply on Jun 18, 2009 1:13 AM by clin1

    Authentication in ejb container fails to use security domain

    clin1 Jun 11, 2009 12:59 AM

      We found this problem when moving from JBoss 4 to JBoss 5.0.1.

      Here is the server.log:

      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) Creating SDC for domain=CLIENT_LOGIN_MODULE
      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1298c7d
      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy@c677a7
      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy@c677a7
      2009-06-10 21:15:16,838 ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
      at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
      at org.jboss.security.javaee.EJBAuthenticationHelper.isValid(EJBAuthenticationHelper.java:87)
      at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:543)
      at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:540)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.ejb.plugins.SecurityActions.isValid(SecurityActions.java:539)
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:314)
      at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
      at org.jboss.ejb.Container.invoke(Container.java:1046)
      at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
      at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
      at $Proxy120.create(Unknown Source)
      at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
      at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
      at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:396)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
      at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
      at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:619)
      2009-06-10 21:15:16,853 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (http-0.0.0.0-8080-1) Error in Security Interceptor
      java.lang.SecurityException: Authentication exception, principal=CEAdmin
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
      at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
      at org.jboss.ejb.Container.invoke(Container.java:1046)
      at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
      at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
      at $Proxy120.create(Unknown Source)
      at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
      at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
      at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:396)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
      at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
      at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:619)

      The jboss.xml file in our server ejb's META-INF:

      <?xml version="1.0"?>

      <enterprise-beans>

      <ejb-name>Engine</ejb-name>
      <jndi-name>FileNet/Engine</jndi-name>
      <local-jndi-name>FileNet/Local/Engine</local-jndi-name>


      <ejb-name>EngineCore</ejb-name>
      <local-jndi-name>FileNet/Local/EngineCore</local-jndi-name>


      <ejb-name>EngineContent</ejb-name>
      <jndi-name>FileNet/EngineContent</jndi-name>
      <local-jndi-name>FileNet/Local/EngineContent</local-jndi-name>


      <ejb-name>EngineContentCore</ejb-name>
      <local-jndi-name>FileNet/Local/EngineContentCore</local-jndi-name>

      </enterprise-beans>
      <container-configurations>
      <container-configuration>
      <container-name>Standard Stateless SessionBean</container-name>
      <security-domain>java:/jaas/FileNet</security-domain>
      </container-configuration>
      </container-configurations>


      In JBoss 5.0.1, we found that the SecurityInterceptor correctly retrieved the security domain from jboss.xml. However, when it is inside EJBAuthenticationHelper.isValid() the security domain is "CLIENT_LOGIN_MODULE".

      Since there is no "CLIENT_LOGIN_MODULE" application-policy defined in our login-config.xml file, it falls back to "other" and executes the wrong login module - UsersRolesLoginModule.

      Does anyone know why the security domain override via jboss.xml is not working in JBoss 5?
      How do we get the ejb authentication to use "FileNet" as specified in the jboss.xml?

      We tried adding <security-domain>java:/jaas/FileNet</security-domain> as a top level element in jboss.xml to no avail.

      Does anyone experience the same issue when migrating from JBoss 4 to 5?

      • 4429 Views
      • Tags:
        • 1. Re: Authentication in ejb container fails to use security do
          anil.saldhana
          anil.saldhana Jun 15, 2009 1:35 AM (in response to clin1)

          Our test suite has test(s) for container configurations and security domain defined in container configs (jboss.xml). I am surprised that you have this issue.

          Try with AS5.1.0. I am not saying that your issue is solved.

          You can first try to create a sample ejb project (ejbs) and reproduce the failure. After that, you can create a jira issue in JBAS and attach the sample project to the jira for a faster resolution.

            • Actions
          • 2. Re: Authentication in ejb container fails to use security do
            jaikiran
            jaikiran Jun 15, 2009 3:25 AM (in response to clin1)

             

            We tried adding <security-domain>java:/jaas/FileNet</security-domain> as a top level element in jboss.xml to no avail.


            I remember there was a change in AS-4.x where the security domain name was no longer expected to contain the java:/jaas prefix. I guess you were using a 4.0.x version of JBoss (which expected the java:/jaas to be present). Try using: 

            <security-domain>FileNet</security-domain>


            As Anil mentioned, we have some working testsuite and even tutorial for this exact same thing:

            http://www.jboss.org/file-access/default/members/jbossejb3/freezone/docs/tutorial/1.0.7/html/jboss.xml_deployment_descriptor.html
            http://anonsvn.jboss.org/repos/jbossas/projects/ejb3/trunk/docs/tutorial/jboss_deployment_descriptor/META-INF/jboss.xml

              • Actions
            • 3. Re: Authentication in ejb container fails to use security do
              clin1 Jun 15, 2009 1:47 PM (in response to clin1)

              Thanks for your responses.
              We have tried using JBoss 5.1.0GA and ran into exactly the same problem.
              We also tried using <security-domain>FileNet</security-domain> as jaikiran mentioned, and the result was the same.

              We could ran Java client application using EJB transport without problems.
              This problem only occurs when we use an application that uses Web Services transport to connect to our application engine, which involves in having the WSI listener propagating the security information to EJB's security domain for authentication. Our WSI listener is implemented as a web servlet in JBoss web container which invokes FnClientLoginModule initially under the "FileNetP8Engine" application-policy, the authentication against LDAP is then performed in EJB container through the "FileNet" application-policy which is defined as the EJB security domain in jboss.xml.

              Here is the excerpt of the login-config.xml:

              <?xml version="1.0" encoding="UTF-8"?>

              <application-policy name="FileNetP8Engine">

              <login-module code="com.filenet.api.authentication.jboss.login.FnClientLoginModule" flag="required">
              <module-option name="multi-threaded">true</module-option>
              </login-module>

              </application-policy>
              <application-policy name = "FileNet">

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
              <module-option name="java.naming.provider.url">ldap://ldaphost:389</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              <module-option name="allowEmptyPasswords">false</module-option>
              <module-option name="bindDN">cn=CEAdmin,ou=FileNet,dc=ldaphost,dc=com</module-option>
              <module-option name="bindCredential">password</module-option>
              <module-option name="baseCtxDN">dc=ldaphost,dc=com</module-option>
              <module-option name="baseFilter">(cn={0})</module-option>
              <module-option name="rolesCtxDN">dc=ldaphost,dc=com</module-option>
              <module-option name="roleFilter">(uniqueMember={0})</module-option>
              <module-option name="matchOnUserDN">true</module-option>
              <module-option name="roleAttributeID">cn</module-option>
              <module-option name="uidAttributeID">cn</module-option>
              <module-option name="roleAttributeIsDN">false</module-option>
              </login-module>

              </application-policy>


              This mechanism has been working in JBoss 4.0.5 and 4.2.x.

              We will try reproduce the problem on a sample application.

                • Actions
              • 4. Re: Authentication in ejb container fails to use security do
                clin1 Jun 18, 2009 1:13 AM (in response to clin1)

                An issue created for JBAS with a sample project that demonstrates the problem:

                https://jira.jboss.org/jira/secure/ManageAttachments.jspa?id=12388384

                  • Actions