3 Replies Latest reply on Feb 24, 2006 10:07 AM by tom.baeyens

    jBPM 3.1: ClassCastException in JBossSecurityMgrRealm

    jesse_sweetland

      Application Servers:
      JBoss 4.0.2, JBoss 4.0.3SP1, and jBPM Starter Kit (JBoss 4.0.2)

      jBPM Release:
      jBPM 3.1 and jBPM 3.1 Starter Kit

      Problem:
      We are migrating our application from jBPM 3.0.1 to jBPM 3.1. The application successfully compiles, but when we deploy to any of the application servers mentioned above we receive the following stack trace:

      10:32:36,168 ERROR [CoyoteAdapter] An exception or error occurred in the container during the request processing
      java.lang.ClassCastException: org.jnp.interfaces.NamingContext
       at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:227)
       at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
       at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
       at java.lang.Thread.run(Thread.java:595)
      


      Looking at line 227 of JBossSecurityMgrRealm.java, the problem appears to happen when casting the object bound to "java:comp/env/security/securityMgr" as a SecurityManager. I removed all declarative security statements (login-config, security-constraint, etc.) from our web.xml and our application loads fine (since the realm never gets invoked).

      The jBPM starter kit application runs fine, but I noticed that there are no declarative security statements in web.xml.

      I also noticed that the size of the jboss-j2ee.jar in the jbpm-3.1/lib/ directory is larger than the jboss-j2ee.jar in the jboss-4.0.3SP1/server/default/lib/ directory.

      Reading the JBoss classloading documentation, it seems that maybe the SecurityManager class is being loaded by a difference classloader than the object in the JNDI context noted above.

      Has anyone else encountered this issue? Are there any workarounds?

      Thanks,

      - Jesse

        • 1. Re: jBPM 3.1: ClassCastException in JBossSecurityMgrRealm
          jesse_sweetland

          Some more information:

          Operating System: Fedora Core 4

          Java Version: 1.4.2_10, 1.5.0_05

          I downloaded the source to JBoss 4.0.3SP1; added some debugging statements to JBossSecurityMgrRealm.java; built it JBoss 4.0.3SP1 from the modified source; and redeployed our application to see why the ClassCastException was happening. The debug code first gets the object bound to the JNDI name "comp/env/security/securityMgr" as an object and prints out the name of its class. According to my debug statements, it looks like the object being retrieved from the JNDI context "comp/env/security/securityMgr" is of type org.jnp.naming.NamingContext. This object is being cast to a SubjectSecurityManager, hence the ClassCastException.

          I downloaded the JBoss 4.0.3SP1 binaries again (the tar.gz version) and unzipped them in a different directory for a clean start. I wrote a test application consisting of nothing more than a plain index.jsp and a web.xml with security constraints. I got the same stack trace when I deployed this application into the brand new, clean JBoss 4.0.3SP1 installation. I also got the same error in the JBoss 4.0.2 server packaged with the jBPM 3.1 starter kit.

          Here is the code for my test application:

          index.jsp

          <html>
          <head>
          <title>Test Case 1</title>
          </head>
          <body>
          <h1>Congratulations!</h1>
          <p>If you are reading this, then the problem has <i>not</i> occurred.</p>
          </body>
          </html>
          


          WEB-INF/web.xml
          <?xml version="1.0" encoding="UTF-8"?>
          
          <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
           version="2.4">
           <session-config>
           <session-timeout>
           30
           </session-timeout>
           </session-config>
           <welcome-file-list>
           <welcome-file>
           index.jsp
           </welcome-file>
           </welcome-file-list>
           <security-constraint>
           <web-resource-collection>
           <web-resource-name>All files</web-resource-name>
           <url-pattern>/*</url-pattern>
           </web-resource-collection>
           <auth-constraint>
           <role-name>*</role-name>
           </auth-constraint>
           </security-constraint>
          
           <login-config>
           <auth-method>BASIC</auth-method>
           </login-config>
          </web-app>
          


          We have three users here locally who are receiving the same stack trace under a variety of circumstances. Can anyone else duplicate this error? Has anyone had success with using container managed security in JBoss wtih Tomcat and jBPM?

          Thanks,

          - Jesse

          • 2. Re: jBPM 3.1: ClassCastException in JBossSecurityMgrRealm
            jesse_sweetland

            We solved the problem. When you create a project in NetBeans 5.0 and choose JBoss 4.0.3 as your application server, it creates a file called jboss-web.xml in WEB-INF. This file by default contains the following line:

            <security-domain flushOnSessionInvalidation="false"/>
            


            Deleting either the jboss-web.xml file or this line causes the application to function properly. However, if there is a jboss-web.xml in the WAR file, and it includes this line, the ClassCastException noted above occurs invariably.

            We commented out the offending line and everything works properly now.

            Hope that helps,

            - Jesse

            • 3. Re: jBPM 3.1: ClassCastException in JBossSecurityMgrRealm
              tom.baeyens

              i didn't see this before.

              jbpm doesn't use any security in the webapplication.

              (that is mainly done to allow developers to start playing with the webapp. previously some people reported problems with configuring security properly. so we decided to rip it out. )

              regards, tom.