-
1. Re: ClassCastException in CertificateLoginModule
beve Oct 7, 2009 7:23 AM (in response to h.wolffenbuttel)Hi,
Is it a configuration problem or just a bug?
I'd say this might depend on how you are using the CertificateLoginModule. Are you using the login module as the moduleName for a ESB service like this:<security moduleName="CertLogin" rolesAllowed="worker" callbackHandler="org.jboss.soa.esb.services.security.auth.login.CertCallbackHandler"> <property name="alias" value="certtest"/> </security>
This is from the security_cert quickstart. In this case the JBossRemotingGatewayListener's message composer is responsible for extracting the certificate from the incoming request. An AuthenticationRequest is created using the certificate and this instance is attached to the ESB Message context so that it is available to the ESB to authenticate the call.
The credentials are specified in org.jboss.soa.esb.services.security.auth.AuthenticationRequest:public interface AuthenticationRequest { public abstract Set<?> getCredentials(); ... }
I should not be possible that the getCredentials method does not return a Set<?> as far as I can tell.
Could you show me your jboss-esb.xml configuration specially the security element on the esb service?
Regards,
/Daniel
I -
2. Re: ClassCastException in CertificateLoginModule
h.wolffenbuttel Oct 7, 2009 7:46 AM (in response to h.wolffenbuttel)Hi,
I'm using another callbackHandler:<security callbackHandler="org.jboss.soa.esb.services.security.auth.loginUserPassCallbackHandler" moduleName="CertLogin" rolesAllowed="worker" runAs="worker" useCallerIdentity="false"> <property name="alias" value="xxxxxx"/> </security>
But with the suggested config:<security callbackHandler="org.jboss.soa.esb.services.security.auth.login.CertCallbackHandler" moduleName="CertLogin" rolesAllowed="worker" runAs="worker" useCallerIdentity="false"> <property name="alias" value="xxxxxxxx"/> </security>
I still get the following error (extracted via Debugging)javax.security.auth.login.LoginException: java.lang.ClassCastException: [Ljava.security.cert.X509Certificate; at org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule.getCallerCertificate(CertificateLoginModule.java:406) at org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule.login(CertificateLoginModule.java:145) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:330) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:149) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:595)
The Object wich is called for the credentials is org.jboss.security.auth.callback.ObjectCallback. Do i have a different version or something? I'm using AS 4.2.3 and ESB 4.6 with JBoss Remoting 2.2.3 and JBoss Messaging 1.4.4 GA
Regards,
Hans -
3. Re: ClassCastException in CertificateLoginModule
h.wolffenbuttel Oct 7, 2009 7:52 AM (in response to h.wolffenbuttel)hi,
Here is the class definition of org.jboss.security.auth.callback.ObjectCallback. I implements the interface Callback, but that interface is empty.* JBoss, Home of Professional Open Source. package org.jboss.security.auth.callback; import javax.security.auth.callback.Callback; /** An implementation of Callback that simply obtains an Object to be used as the authentication credential. Interpretation of the Object is up to the LoginModules that validate the credential. @author Scott.Stark@jboss.org @version $Revision: 57203 $ */ public class ObjectCallback implements Callback { private transient String prompt; private transient Object credential; /** Initialize the SecurityAssociationCallback */ public ObjectCallback(String prompt) { this.prompt = prompt; } public String getPrompt() { return prompt; } public Object getCredential() { return credential; } public void setCredential(Object credential) { this.credential = credential; } public void clearCredential() { this.credential = null; } }
Regards,
Hans -
4. Re: ClassCastException in CertificateLoginModule
beve Oct 7, 2009 8:02 AM (in response to h.wolffenbuttel)The CertLoginModule is only intended to be used for ESB service security, that is when using the security element on a service in jboss-esb.xml.
If I'm reading the stacktrace correctly you are using this for web container security via the http-provider.
Could you modify one of the quickstart to reproduce your issue? I'd be happy to take a look and it would make it easier for me to understand what is going on.
Thanks,
/Daniel -
5. Re: ClassCastException in CertificateLoginModule
h.wolffenbuttel Oct 7, 2009 9:27 AM (in response to h.wolffenbuttel)I need to fill the AuthenticationRequest and it's filled with the following code:
<http-bus busid="Http-GouwESB-Nulstand" context="/gouwesb/httpsgateway/Nulstand"> <property name="authMethod" value="CLIENT-CERT"/> <property name="securityDomain" value="java:/jaas/CertLogin"/> <property name="securityRole" value="worker"/> </http-bus>
And the security is supposed to pickup the certificate information in the service declaration:<service category="HTTPService" description="WS Frontend speaks natively to the ESB" name="HTTPNulstandService"> <security callbackHandler="org.jboss.soa.esb.services.security.auth.login.CertCallbackHandler" moduleName="CertLogin" rolesAllowed="worker" runAs="worker" useCallerIdentity="false"> <property name="alias" value="xxxxxxx"/> </security> <listeners> <http-listener busidref="Http-GouwESB-Nulstand" is-gateway="true" maxThreads="1" name="Http-Nullstand-Gateway"/> <jms-listener busidref="NulstandEsbBus" is-gateway="false" maxThreads="1" name="JMS-Nulstand-ESBListener"/> </listeners> ... </service>
I don't know if this information does help? Do i need to use another module like CertRolesLoginModule?
Regards,
Hans -
6. Re: ClassCastException in CertificateLoginModule
beve Oct 7, 2009 9:36 AM (in response to h.wolffenbuttel)I need to fill the AuthenticationRequest and it's filled with the following code:
Actually only basic authentication information is currently extracted by the http-provider. I'll create a Jira for this and post back the link here.
Sorry about the confusion.
Regards,
/Daniel -
7. Re: ClassCastException in CertificateLoginModule
beve Oct 7, 2009 10:47 AM (in response to h.wolffenbuttel)I've created the following Jira for this issue so that it can be tracked:
http://jira.jboss.org/jira/browse/JBESB-2871 -
8. Re: ClassCastException in CertificateLoginModule
h.wolffenbuttel Dec 14, 2009 8:00 AM (in response to beve)Hi Daniel,
Any idea when this will be implemented? Can I do something to get this implemented sooner? The problem resides in the fact that SSL is becoming a requirement and the workaround using the JBossSX loginmodule is no longer valid. Futhermore is the use of exposing a JBossESB as a webservice not configurable for SSL, or did I miss a configuration documentation? The reason for this is that the exposed service doesn't use a configurated gateway, not even when there is one defined. ( I have had a HTTP-provider defined)
Regards,
Hans
-
9. Re: ClassCastException in CertificateLoginModule
beve Dec 15, 2009 7:16 PM (in response to h.wolffenbuttel)Hi Hans,
sorry, but I'm can't really give you an answer to when this will be implemented as it is not for me to decide. You can vote for this issue though and that will be taken into consideration when tasks get prioritized.
Regards,
/Daniel