2 Replies Latest reply on Jul 23, 2010 11:14 AM by peterj

Jboss 5.0 jaas configuration issue!!!

winds512tom Jul 21, 2010 10:23 PM

Problem log like this :

2010-07-22 09:18:59,056 ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-127.0.0.1-8080-2) Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
    at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
    at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
    at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
    at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
    at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
    at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
    at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:619)

JBOSS Configuration:

Login-config.xml

<?xml version='1.0'?>

<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.

The outline of the application-policy is:
<application-policy name="security-domain-name">
  <authentication>
    <login-module code="login.module1.class.name" flag="control_flag">
      <module-option name = "option1-name">option1-value</module-option>
      <module-option name = "option2-name">option2-value</module-option>
      ...
    </login-module>

    <login-module code="login.module2.class.name" flag="control_flag">
      ...
    </login-module>
    ...
  </authentication>
</application-policy>

$Id: login-config.xml 87078 2009-04-09 14:23:47Z bstansberry@jboss.com $
$Revision: 87078 $
-->

<policy>
  <!-- Used by clients within the application server VM such as
  mbeans and servlets that access EJBs.
  -->
  <application-policy name="client-login">
    <authentication>
      <login-module code="org.jboss.security.ClientLoginModule"
        flag="required">
         <!-- Any existing security context will be restored on logout -->
         <module-option name="restore-login-identity">true</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <!-- Security domains for testing new jca framework -->
  <application-policy name="HsqlDbRealm">
    <authentication>
      <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule"
        flag="required">
        <module-option name="principal">sa</module-option>
        <module-option name="userName">sa</module-option>
        <module-option name="password"></module-option>
        <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <application-policy name="JmsXARealm">
    <authentication>
      <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule"
        flag="required">
        <module-option name="principal">guest</module-option>
        <module-option name="userName">guest</module-option>
        <module-option name="password">guest</module-option>
        <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <!-- A template configuration for the jmx-console web application. This
    defaults to the UsersRolesLoginModule the same as other and should be
    changed to a stronger authentication mechanism as required.
  -->
  <application-policy name="jmx-console">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required">
        <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
        <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <!-- A template configuration for the web-console web application. This
    defaults to the UsersRolesLoginModule the same as other and should be
    changed to a stronger authentication mechanism as required.
  -->
  <application-policy name="web-console">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required">
        <module-option name="usersProperties">props/web-console-users.properties</module-option>
        <module-option name="rolesProperties">props/web-console-roles.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <!--
    A template configuration for the JBossWS security domain.
    This defaults to the UsersRolesLoginModule the same as other and should be
    changed to a stronger authentication mechanism as required.
  -->
  <application-policy name="JBossWS">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required">
        <module-option name="usersProperties">props/jbossws-users.properties</module-option>
        <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
        <module-option name="unauthenticatedIdentity">anonymous</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <!-- The default login configuration used by any security domain that
  does not have a application-policy entry with a matching name
  -->
  <application-policy name="other">
    <!-- A simple server login module, which can be used when the number
    of users is relatively small. It uses two properties files:
    users.properties, which holds users (key) and their password (value).
    roles.properties, which holds users (key) and a comma-separated list of
    their roles (value).
    The unauthenticatedIdentity property defines the name of the principal
    that will be used when a null username and password are presented as is
    the case for an unuathenticated web client or MDB. If you want to
    allow such users to be authenticated add the property, e.g.,
    unauthenticatedIdentity="nobody"
    -->
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required"/>
        <module-option name="usersProperties">props/jbossws-users.properties</module-option>
        <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
        <module-option name="unauthenticatedIdentity">anonymous</module-option>
    </authentication>
  </application-policy>

</policy>

deploy/jmx-console.war/WEB-INF/jboss-web.xml

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users. -->
      <security-domain>java:/jaas/web-console</security-domain>
</jboss-web>

deploy/jmx-console.war/WEB-INF/web.xml

<?xml version="1.0"?>
<web-app version="2.5"
   xmlns="http://java.sun.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
   
   <description>The standard web descriptor for the html adaptor</description>
   <!--
    <filter>
      <filter-name>JmxOpsAccessControlFilter</filter-name>
      <filter-class>org.jboss.jmx.adaptor.html.JMXOpsAccessControlFilter</filter-class>
      <init-param>
        <param-name>updateAttributes</param-name>
        <param-value>UpdateAttributeRole</param-value>
        <description>Comma-delimited Roles that define the JMX Operation denoting updation of Attributes</description>
      </init-param>
      <init-param>
        <param-name>invokeOp</param-name>
        <param-value>InvokeOpRole</param-value>
        <description>Comma-delimited Roles that define the JMX Operation denoting Invocation of Operations</description>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>JmxOpsAccessControlFilter</filter-name>
      <servlet-name>HtmlAdaptor</servlet-name>
   </filter-mapping>
   -->
   <servlet>
      <servlet-name>HtmlAdaptor</servlet-name>
      <servlet-class>org.jboss.jmx.adaptor.html.HtmlAdaptorServlet</servlet-class>
   </servlet>
   <servlet>
      <servlet-name>ClusteredConsoleServlet</servlet-name>
      <servlet-class>org.jboss.jmx.adaptor.html.ClusteredConsoleServlet</servlet-class>
      <init-param>
         <description>The JGroups protocol stack config</description>
         <param-name>jgProps</param-name>
         <param-value>UDP(ip_mcast=true;ip_ttl=16;loopback=false;mcast_addr=${jboss.partition.udpGroup:228.1.2.3};mcast_port=${jboss.jmxconsolepartition.mcast_port:46666}):
org.jboss.jmx.adaptor.control.FindView
         </param-value>
      </init-param>
   </servlet>
   <servlet>
      <servlet-name>DisplayMBeans</servlet-name>
      <jsp-file>/displayMBeans.jsp</jsp-file>
   </servlet>
   <servlet>
      <servlet-name>InspectMBean</servlet-name>
      <jsp-file>/inspectMBean.jsp</jsp-file>
   </servlet>
   <servlet>
      <servlet-name>DisplayOpResult</servlet-name>
      <jsp-file>/displayOpResult.jsp</jsp-file>
   </servlet>
   <servlet>
      <servlet-name>ClusterView</servlet-name>
      <jsp-file>/cluster/clusterView.jsp</jsp-file>
   </servlet>
   <servlet>
      <servlet-name>ProfileServiceDebugServlet</servlet-name>
      <servlet-class>org.jboss.profileservice.web.DebugServlet</servlet-class>
   </servlet>

   <servlet-mapping>
      <servlet-name>HtmlAdaptor</servlet-name>
      <url-pattern>/HtmlAdaptor</url-pattern>
   </servlet-mapping>
   <servlet-mapping>
      <servlet-name>ClusteredConsoleServlet</servlet-name>
      <url-pattern>/cluster/ClusteredConsole</url-pattern>
   </servlet-mapping>
   <servlet-mapping>
      <servlet-name>DisplayMBeans</servlet-name>
      <url-pattern>/DisplayMBeans</url-pattern>
   </servlet-mapping>
   <servlet-mapping>
      <servlet-name>InspectMBean</servlet-name>
      <url-pattern>/InspectMBean</url-pattern>
   </servlet-mapping>
   <servlet-mapping>
      <servlet-name>DisplayOpResult</servlet-name>
      <url-pattern>/DisplayOpResult</url-pattern>
   </servlet-mapping>
   <servlet-mapping>
      <servlet-name>ProfileServiceDebugServlet</servlet-name>
      <url-pattern>/ProfileServiceDebugServlet</url-pattern>
   </servlet-mapping>

   <!-- Display a generic error page when HTTP Status 500 exceptions
        occur. --> 
   <error-page>
      <error-code>500</error-code>
      <location>/genericError.jsp</location>
   </error-page> 

   <!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console.
   -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>
   

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
   </login-config>

   <security-role>
      <role-name>JBossAdmin</role-name>
   </security-role>
</web-app>

1. Re: Jboss 5.0 jaas configuration issue!!!

winds512tom Jul 22, 2010 8:44 PM (in response to winds512tom)

this is pitty ! the properties file must in the class folder ....
Actions
2. Re: Jboss 5.0 jaas configuration issue!!!

peterj Jul 23, 2010 11:14 AM (in response to winds512tom)

No it doesn't. The server/xxx/conf directory is in the classpath and thus properties files can be picked up from there also. If you look in server/xxx/conf/props you will see several login properties files.
Actions

Go to original post