4 Replies Latest reply on Jul 5, 2007 11:46 AM by georgy

    DatabaseServerLoginModule

    georgy

      Hi

      I am triying to authenticate user with the DatabaseServerLoginModule module against a mysql database. First i created two tables :

      
      
      CREATE TABLE `proxiad`.`principals` (
       `PrincipalID` varchar(64) NOT NULL default '',
       `Password` varchar(64) default NULL,
       PRIMARY KEY (`PrincipalID`)
      ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
      
      
      CREATE TABLE `proxiad`.`roles` (
       `PrincipalID` varchar(64) default NULL,
       `Role` varchar(64) default NULL,
       `RoleGroup` varchar(64) default NULL
      ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
      
      
      



      Then i inserted data

      insert into roles values('g.mahop','Authenticated','Roles')
      insert into roles values('g.mahop','Admin','Roles')
      insert into principals values('g.mahop','toto')
      


      Finally i modified the jboss-portal.sar/conf/login-config.xml this way :

      
      <?xml version='1.0'?>
      <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       ~ JBoss, a division of Red Hat ~
       ~ Copyright 2006, Red Hat Middleware, LLC, and individual ~
       ~ contributors as indicated by the @authors tag. See the ~
       ~ copyright.txt in the distribution for a full listing of ~
       ~ individual contributors. ~
       ~ ~
       ~ This is free software; you can redistribute it and/or modify it ~
       ~ under the terms of the GNU Lesser General Public License as ~
       ~ published by the Free Software Foundation; either version 2.1 of ~
       ~ the License, or (at your option) any later version. ~
       ~ ~
       ~ This software is distributed in the hope that it will be useful, ~
       ~ but WITHOUT ANY WARRANTY; without even the implied warranty of ~
       ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ~
       ~ Lesser General Public License for more details. ~
       ~ ~
       ~ You should have received a copy of the GNU Lesser General Public ~
       ~ License along with this software; if not, write to the Free ~
       ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ~
       ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. ~
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~-->
      
      <!DOCTYPE policy PUBLIC
       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
      <policy>
       <!-- For the JCR CMS -->
       <application-policy name="cms">
       <authentication>
       <login-module code="org.apache.jackrabbit.core.security.SimpleLoginModule" flag="required"/>
       </authentication>
       </application-policy>
      
      
      
      
      
       <application-policy name="portal">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag="required">
       <module-option name="dsJndiName">java:/PortalDS</module-option>
       <module-option name="principalsQuery">
       select passwd from Users username where username=?</module-option>
       <module-option name="rolesQuery">
       select userRoles, 'Roles' from UserRoles where username=?</module-option>
       </login-module>
      
      
      
       <!-- <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
       <login-module code ="org.jboss.portal.identity.auth.DBIdentityLoginModule" flag = "required">
       <module-option name ="unauthenticatedIdentity">guest</module-option>
       <module-option name ="dsJndiName">java:/PortalDS</module-option>
       <module-option name = "principalsQuery">SELECT Password FROM principals WHERE PrincipalID=?</module-option>
      
       <module-option name = "rolesQuery">Select Role,'Roles' from roles where PrincipalID=?</module-option>
       </login-module>-->
      
      
      
      
       <!--To configure LDAP support with IdentityLoginModule please check documentation on how to
       configure portal identity modules for this
       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
       <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module> -->
      
       <!--Use can use this module instead of IdentityLoginModule to bind to LDAP. It simply extends JBossSX LdapExtLoginModule so
       all configuration that can be applied to LdapExtLoginModule also can be applied here. For user that
       was authenticated successfully it will try to take identity modules from portal, check if such user (and roles it belongs to)
       is present, and if not it will try to create them. Then for all roles assigned to this authenticated principal it will
       try to check and create them using identity modules. This behaviour can be disabled using "synchronizeRoles". You can also
       define one "defaultAssignRole" that will be always assigned to synchronized user.
       It is also possible to set option "synchronizeIdentity" to "false" so this module will act exactly like LdapExtLoginModule
       but it will inject role defined in "additionalRole". For obvious reasons
       this is designed to use with portal identity modules configured with DB and not LDAP-->
       <!--There is also SynchronizingLDAPLoginModule which provide the same set of options on top of JBossSX LdapLoginModule-->
       <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required">
       <module-option name="synchronizeIdentity">true</module-option>
       <module-option name="synchronizeRoles">true</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="defaultAssignedRole">User</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
       <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://example.com:10389/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="bindDN">cn=Directory Manager</module-option>
       <module-option name="bindCredential">lolo</module-option>
       <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option>
       <module-option name="roleFilter">(member={1})</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="roleRecursion">-1</module-option>
       <module-option name="searchTimeLimit">10000</module-option>
       <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>
       </login-module>-->
      
       <!--This login module should be placed at the end of authentication stack. It always returns
       true in login() method so it should be always "optional" and exists after other "required" module in the stack.
       It will try to synchronize authenticated user into portal store using portal identity modules. Each subject principal assigned
       by previous modules will be tried to synchronize into portal as a role. -->
       <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
       <module-option name="synchronizeIdentity">true</module-option>
       <module-option name="synchronizeRoles">true</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="defaultAssignedRole">User</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
       <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
       </login-module>-->
      
       <!--Uncomment this if you want to fall down to users kept in DB if LDAP authentication fails
       This may be usefull if you want to use Admin user provided with portal database schema-->
       <!--Note that this may lead to the security risk - with LDAP when storing user profile information
       that are not mapped as attribute you may have LDAP user synchronized into DB with no password set.
       Please see HibernateUserProfileImpl module options "synchronizeNonExistingUsers", "acceptOtherImplementations"
       "defaultSynchronizePassword" or "randomSynchronizePassword" to manage this behaviour-->
       <!--<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient">
       <module-option name="dsJndiName">java:/PortalDS</module-option>
       <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
       <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
       <module-option name="hashAlgorithm">MD5</module-option>
       <module-option name="hashEncoding">HEX</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       </login-module>-->
      
       </authentication>
       </application-policy>
      </policy>
      
      


      But when i log in using correct principals, it looks like i don't have 'Admin' rights, in fact it looks like i am not logged since the 'Login' link appears on the page (top right).
      If i use wrong principals, 'null' is displayed instead of the usual message 'User doesn't exist or...'


      I am using JBOSS Portal 2.6 GA (bundle version)
      Can somebody help me?

        • 1. Re: DatabaseServerLoginModule
          theute

          Why don't you use: org.jboss.portal.identity.auth.DBIdentityLoginModule that you commented out ?
          You can edit the SQL queries in it.

          • 2. Re: DatabaseServerLoginModule
            georgy

            Hi

            i have the same problem with the 'org.jboss.portal.identity.auth.DBIdentityLoginModule' (i use the same SQL requests). I can access the portal with correct principals but as an "unauthenticated" user (login link appears on the page).

            I really don't understand what's missing/wrong

            • 3. Re: DatabaseServerLoginModule
              bdaw

               

              select userRoles, 'Roles' from UserRoles where username=?

              Actually - where is the UserRoles table? Are you using portal one? Are you sure that relationship is defined properly in your database?

              • 4. Re: DatabaseServerLoginModule
                georgy

                Hi 'bdaw'


                You are wright, i made a mistake: it should be table 'roles' instead of 'UserRoles', but it doesn't solve the problem anyway. I read portal documentation once more to make sure i didn't forget anything and in the documentation it is said that 'The JBoss Application Server documentation is certainly the best reference ' for authentication configuration, so i read a part of chapter 8.

                http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html#ch8.dabaseserverloginmodule.sect


                I tried the dabaseserverloginmodule exemple:

                i created 2 tables Users and UserRoles (copy/paste of the exemple)

                CREATE TABLE Users(username VARCHAR(64) PRIMARY KEY, passwd VARCHAR(64))
                CREATE TABLE UserRoles(username VARCHAR(64), userRoles VARCHAR(32))
                



                i inserted data

                insert into UserRoles values('g.mahop','Authenticated')
                insert into UserRoles values('g.mahop','Admin')
                insert into Users values('g.mahop','toto')
                



                I reconfigured the jboss-portal.sar/conf/login-config.xml file:


                 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                 flag="required">
                 <module-option name="dsJndiName">java:/PortalDS</module-option>
                 <module-option name="principalsQuery">
                 select passwd from Users username where username=?</module-option>
                 <module-option name="rolesQuery">
                 select userRoles, 'Roles' from UserRoles where username=?</module-option>
                 </login-module>
                
                




                This is what happends after i try to authenticate

                http://users.telenet.be/mistageorges/portalSnapshot/afterSubmit.JPG



                Obviously i am missing something but i can't find what. Do you see anything that seems not to be wright?

                I use JBOSS Portal 2.6GA (bundle version) with a mysql 4.1 database

                Thank for your help