This content has been marked as final.
Show 4 replies
-
1. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
gwittwer Oct 12, 2005 5:40 AM (in response to hannes)Hi Hannes
I'm currently also occupied with the security of JBoss and jBPM (see my message: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=70644).
If you will get the solution for the security settings and how to use them, please inform me (same will I do :)
Thank you and hope somebody will help us with the security stuff.
Regards
Gerhard -
2. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
hannes Oct 12, 2005 9:56 AM (in response to hannes)"gwittwer" wrote:
Hi Hannes
I'm currently also occupied with the security of JBoss and jBPM (see my message: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=70644).
If you will get the solution for the security settings and how to use them, please inform me (same will I do :)
Thank you and hope somebody will help us with the security stuff.
Regards
Gerhard
Servus Gerhard :)
First of all, this is my first webproject and so I am quite even unexperienced with basic j2ee stuff :(
I am sorry that I hadnt seen your posting before - only searched for the LoginModul. Firstly I wanted to make up my own Object/Database Model, but there is already much done in identities.
Currently, websale works with the (hbm-saved) identity.User-Object which is accessible via the PersistentContext/IdentitySession, right? I want to keep this, but the creation resp. putting in the context has to be done in the LoginModul (currently in the AuthenticationFilter) or am I wrong? -
3. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
hannes Nov 9, 2005 12:30 PM (in response to hannes)I have just took a deeper look into the IdentityLoginModule (latest jbpm3.1alpha starterKit) and faced some troubles:
org.jbpm.identity.security.IdentityLoginModule.java:public boolean login() throws LoginException { System.out.println("[IdentityLoginModule] login"); // get userName and password NameCallback nameCallback = new NameCallback(null); System.out.println("[IdentityLoginModule] after NameCallback"); PasswordCallback passwordCallback = new PasswordCallback(null,false); try { ...
(I have only added the sysos)
The first syso works, but then no trace is printed anymore. Seems that 'new NameCallback(null);' causes an exception - but no trace is shown. Tomorrow I am going to insert a catch block.
Does anybody has ever succeeded in running the IdentityLoginModule?? -
4. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
hannes Nov 10, 2005 10:37 AM (in response to hannes)Actually, this thread wasn't supposed to be a monologue ;)
Here is the promised trace:16:18:13,661 INFO [STDOUT] java.lang.IllegalArgumentException
16:18:13,661 INFO [STDOUT] at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:50)
16:18:13,661 INFO [STDOUT] at org.jbpm.identity.security.IdentityLoginModule.login(IdentityLoginModule.java:46)
16:18:13,661 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
16:18:13,671 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
16:18:13,671 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
16:18:13,671 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585)
16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
16:18:13,671 INFO [STDOUT] at java.security.AccessController.doPrivileged(Native Method)
16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:572)
16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:506)
16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:315)
16:18:13,671 INFO [STDOUT] at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
16:18:13,671 INFO [STDOUT] at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
16:18:13,671 INFO [STDOUT] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
16:18:13,671 INFO [STDOUT] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
16:18:13,671 INFO [STDOUT] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
16:18:13,681 INFO [STDOUT] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
16:18:13,681 INFO [STDOUT] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
16:18:13,681 INFO [STDOUT] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
16:18:13,681 INFO [STDOUT] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
16:18:13,681 INFO [STDOUT] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
16:18:13,681 INFO [STDOUT] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
16:18:13,681 INFO [STDOUT] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
16:18:13,681 INFO [STDOUT] at java.lang.Thread.run(Thread.java:595)
what I have done?
added new policy in the login-conf.xml:<application-policy name = "jbpm"> <authentication> <login-module code = "org.jbpm.identity.security.IdentityLoginModule" flag = "required"> </login-module> </authentication> </application-policy>
added file to the unpacked jbpm-webapp: jboss-web.xml<jboss-web> <security-domain>java:/jaas/jbpm</security-domain> </jboss-web>
changed web.xml:<security-constraint> <web-resource-collection> <web-resource-name>jbpm</web-resource-name> <url-pattern>/faces/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <!-- <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/faces/login.jsp</form-login-page> <form-error-page>/faces/error.jsp</form-error-page> </form-login-config> </login-config> --> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JBPM</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role>
I tested both authentication-methods: form-based and windowed (basic) - but every time the same error occurs.
using jbpm-3.1alpha-starterkit & java 1.5.0_04-b05