Authentication in ejb container fails to use security domain
clin1 Jun 11, 2009 12:59 AMWe found this problem when moving from JBoss 4 to JBoss 5.0.1.
Here is the server.log:
2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) Creating SDC for domain=CLIENT_LOGIN_MODULE
2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1298c7d
2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy@c677a7
2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy@c677a7
2009-06-10 21:15:16,838 ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.security.javaee.EJBAuthenticationHelper.isValid(EJBAuthenticationHelper.java:87)
at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:543)
at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:540)
at java.security.AccessController.doPrivileged(Native Method)
at org.jboss.ejb.plugins.SecurityActions.isValid(SecurityActions.java:539)
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:314)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
at org.jboss.ejb.Container.invoke(Container.java:1046)
at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
at $Proxy120.create(Unknown Source)
at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
2009-06-10 21:15:16,853 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (http-0.0.0.0-8080-1) Error in Security Interceptor
java.lang.SecurityException: Authentication exception, principal=CEAdmin
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
at org.jboss.ejb.Container.invoke(Container.java:1046)
at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
at $Proxy120.create(Unknown Source)
at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
The jboss.xml file in our server ejb's META-INF:
<?xml version="1.0"?>
<enterprise-beans>
<ejb-name>Engine</ejb-name>
<jndi-name>FileNet/Engine</jndi-name>
<local-jndi-name>FileNet/Local/Engine</local-jndi-name>
<ejb-name>EngineCore</ejb-name>
<local-jndi-name>FileNet/Local/EngineCore</local-jndi-name>
<ejb-name>EngineContent</ejb-name>
<jndi-name>FileNet/EngineContent</jndi-name>
<local-jndi-name>FileNet/Local/EngineContent</local-jndi-name>
<ejb-name>EngineContentCore</ejb-name>
<local-jndi-name>FileNet/Local/EngineContentCore</local-jndi-name>
</enterprise-beans>
<container-configurations>
<container-configuration>
<container-name>Standard Stateless SessionBean</container-name>
<security-domain>java:/jaas/FileNet</security-domain>
</container-configuration>
</container-configurations>
In JBoss 5.0.1, we found that the SecurityInterceptor correctly retrieved the security domain from jboss.xml. However, when it is inside EJBAuthenticationHelper.isValid() the security domain is "CLIENT_LOGIN_MODULE".
Since there is no "CLIENT_LOGIN_MODULE" application-policy defined in our login-config.xml file, it falls back to "other" and executes the wrong login module - UsersRolesLoginModule.
Does anyone know why the security domain override via jboss.xml is not working in JBoss 5?
How do we get the ejb authentication to use "FileNet" as specified in the jboss.xml?
We tried adding <security-domain>java:/jaas/FileNet</security-domain> as a top level element in jboss.xml to no avail.
Does anyone experience the same issue when migrating from JBoss 4 to 5?