4 Replies Latest reply on Nov 10, 2005 10:37 AM by hannes

    org.jbpm.identity.security.IdentityLoginModule & JAAS

    hannes
    hannes Oct 12, 2005 4:48 AM

      I am currently occupied with the user & security management and want to customize the jbpm.identities. So, there ist already this LoginModule, but how to use it? Any parameters in the login-config.xml to set?

      <application-policy name = "jbpm-web-sec">
 <authentication>
 <login-module code="org.jbpm.identity.security.IdentityLoginModule"
 flag = "required">
 </login-module>
 </authentication>
 </application-policy>

      What about the web.xml?
      <security-constraint>
 <web-resource-collection>
 <web-resource-name>JBPM Security</web-resource-name>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>JBossAdmin</role-name>
 </auth-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JBoss JBPM</realm-name>
 </login-config>
 <security-role>
 <role-name>JBossAdmin</role-name>
 </security-role>

      I manually inserted the JBossAdmin to the jbpm_id_group table and connected it with cookie monster in jbpm_id_membership, but even though I cant authorize to the websale :(
      Can anybody help?

      • 3593 Views
      • Tags:
        • 1. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
          gwittwer
          gwittwer Oct 12, 2005 5:40 AM (in response to hannes)

          Hi Hannes

          I'm currently also occupied with the security of JBoss and jBPM (see my message: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=70644).

          If you will get the solution for the security settings and how to use them, please inform me (same will I do :)

          Thank you and hope somebody will help us with the security stuff.

          Regards
          Gerhard

            • Actions
          • 2. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
            hannes
            hannes Oct 12, 2005 9:56 AM (in response to hannes)

             

            "gwittwer" wrote:
            Hi Hannes

            I'm currently also occupied with the security of JBoss and jBPM (see my message: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=70644).

            If you will get the solution for the security settings and how to use them, please inform me (same will I do :)

            Thank you and hope somebody will help us with the security stuff.

            Regards
            Gerhard


            Servus Gerhard :)

            First of all, this is my first webproject and so I am quite even unexperienced with basic j2ee stuff :(
            I am sorry that I hadnt seen your posting before - only searched for the LoginModul. Firstly I wanted to make up my own Object/Database Model, but there is already much done in identities.
            Currently, websale works with the (hbm-saved) identity.User-Object which is accessible via the PersistentContext/IdentitySession, right? I want to keep this, but the creation resp. putting in the context has to be done in the LoginModul (currently in the AuthenticationFilter) or am I wrong?



              • Actions
            • 3. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
              hannes
              hannes Nov 9, 2005 12:30 PM (in response to hannes)

              I have just took a deeper look into the IdentityLoginModule (latest jbpm3.1alpha starterKit) and faced some troubles:
              org.jbpm.identity.security.IdentityLoginModule.java:

              public boolean login() throws LoginException {
 System.out.println("[IdentityLoginModule] login");
 // get userName and password
 NameCallback nameCallback = new NameCallback(null);
 System.out.println("[IdentityLoginModule] after NameCallback");
 PasswordCallback passwordCallback = new PasswordCallback(null,false);
 try {
...

              (I have only added the sysos)
              The first syso works, but then no trace is printed anymore. Seems that 'new NameCallback(null);' causes an exception - but no trace is shown. Tomorrow I am going to insert a catch block.
              Does anybody has ever succeeded in running the IdentityLoginModule??

                • Actions
              • 4. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
                hannes
                hannes Nov 10, 2005 10:37 AM (in response to hannes)

                Actually, this thread wasn't supposed to be a monologue ;)
                Here is the promised trace:

                16:18:13,661 INFO [STDOUT] java.lang.IllegalArgumentException
                16:18:13,661 INFO [STDOUT] at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:50)
                16:18:13,661 INFO [STDOUT] at org.jbpm.identity.security.IdentityLoginModule.login(IdentityLoginModule.java:46)
                16:18:13,661 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                16:18:13,671 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                16:18:13,671 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                16:18:13,671 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                16:18:13,671 INFO [STDOUT] at java.security.AccessController.doPrivileged(Native Method)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:572)
                16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:506)
                16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:315)
                16:18:13,671 INFO [STDOUT] at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
                16:18:13,671 INFO [STDOUT] at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
                16:18:13,671 INFO [STDOUT] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
                16:18:13,671 INFO [STDOUT] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
                16:18:13,671 INFO [STDOUT] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                16:18:13,681 INFO [STDOUT] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                16:18:13,681 INFO [STDOUT] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                16:18:13,681 INFO [STDOUT] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                16:18:13,681 INFO [STDOUT] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
                16:18:13,681 INFO [STDOUT] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
                16:18:13,681 INFO [STDOUT] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                16:18:13,681 INFO [STDOUT] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                16:18:13,681 INFO [STDOUT] at java.lang.Thread.run(Thread.java:595)


                what I have done?
                added new policy in the login-conf.xml: 
                <application-policy name = "jbpm">
 <authentication>
 <login-module code = "org.jbpm.identity.security.IdentityLoginModule"
 flag = "required">
 </login-module>
 </authentication>
 </application-policy>

                added file to the unpacked jbpm-webapp: jboss-web.xml 
                <jboss-web>
 <security-domain>java:/jaas/jbpm</security-domain>
</jboss-web>

                changed web.xml: 
                <security-constraint>
 <web-resource-collection>
 <web-resource-name>jbpm</web-resource-name>
 <url-pattern>/faces/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>*</role-name>
 </auth-constraint>
 </security-constraint>
<!--
 <login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
 <form-login-page>/faces/login.jsp</form-login-page>
 <form-error-page>/faces/error.jsp</form-error-page>
 </form-login-config>

 </login-config>
-->
 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JBoss JBPM</realm-name>
 </login-config>

 <security-role>
 <role-name>admin</role-name>
 </security-role>

                I tested both authentication-methods: form-based and windowed (basic) - but every time the same error occurs.
                using jbpm-3.1alpha-starterkit & java 1.5.0_04-b05

                  • Actions