Migrating from JBoss 4 to JBoss 6 - JAAS problems
krudorf Jan 4, 2011 10:13 AMHi,
I have an ear containing two .wars and one jar containing enterprise beans. This setup worked fine on JBoss 4.
When I try to deploy the same application to JBoss 6 (after solving alot of jar-hell problems and modifying the project structure to be in line with Java EE 6 standards), now I am stuck on JAAS-related problems. First I had "Missing users.properties file" / "Authentication failed". I tried adding to jboss-app and jboss.xml the security-role and security-domain settings (both trying with client-login as security domain and adding my own application policy in serverdir/conf/login-config.xml - using UsersLoginModule, IdentityModule and ConfiguredIdentityModule all without luck). I have some success when adding the users.properties and roles.properties files to serverdir/conf and in those specifying my users and roles. Then the authentication passes, but then authorization fails.
What is required to change or adapt in a project in order to deploy it successfully to JBoss 6? Can I do without JAAS? I dont even want to use it.
My project looks like this (the relevant parts I can think of)
MainApplication/META-INF/application.xml describes three modules (Backend.jar) (myservices.jar) (and webapp.war)
and <security-role>
<description>My app role</description>
<role-name>MyRole</role-name>
</security-role>
In the same dir (META-INF) I have jboss-app with this in it:
<security-domain>client-login</security-domain>
<security-role>
<role-name>MyRole</role-name>
<principal-name>myuser</principal-name>
</security-role>
Later I have these
WebApp/WEB-INF/jboss-web.xml and web.xml
what should they contain relating to security issues? I have tryed adding the security role and principal-name to jboss-web.xml and so on with no success.
I have added a users.properties and roles.properties file to the WebAPP/src/ directory which should be copyed to WEB-INF and found there on runtime? But it doesnt, then I get missin users.properties. Where should I put these .properties files in the structure for them to be found on deployment/runtime ?
In the Backend/META-INF/ I have ejb-jar.xml and jboss.xml ejb-jar.xml declares in assembly descriptor an <securiy-role>MyRole</security-role> and thats it. I have tryed adding to jboss.xml security-domain with and without it, aswell as an assembly descriptor with addition to security-role an principal-name.
I have turned on logging in deploy/jboss-logging for the orb.jboss.security and whatever else I found to give me more info. This is what I see in the logs, when I add security-constraint to be client-login in all the jboss-app and jboss-web.xml files.
15:01:43,685 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.client-login] (http-127.0.0.1-8080-4) Begin isValid, principal:null, cache info: null
15:01:43,685 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.client-login] (http-127.0.0.1-8080-4) defaultLogin, principal=null
15:01:43,685 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-4) Begin getAppConfigurationEntry(client-login), size=11
15:01:43,686 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-4) End getAppConfigurationEntry(client-login), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.ClientLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=restore-login-identity, value=true
15:01:43,689 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Security domain: client-login
15:01:43,689 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Enabling restore-login-identity mode
15:01:43,689 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Begin login
15:01:43,690 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Obtained login: null, credential.class: null
15:01:43,690 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) End login
15:01:43,690 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) commit, subject=Subject:
later...
Exception:Insufficient method permissions, principal=null, ejbName=MySessionBean, , method=create, interface=LocalHome, requiredRoles=Roles(), principalRoles=Roles()
...REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
Principal: null
:role=Roles()
This specific session bean I have changed the settings for in the ejb-jar.xml to unchecked.
The problem I think is that my application does not authenticate itself correctly with jboss. How do I do that? Do I need to do it programmaticaly and call LoginContext.login(bla) whenever my webapp wants to call the ejb-beans?
Help?
Update: Now I have used the IdentityModule this is in login-config.xml
<application-policy name="testIdentity">
<authentication>
<login-module code="org.jboss.security.auth.spi.IdentityLoginModule" flag="required">
<module-option name="principal">Gavrilo</module-option>
<module-option name="roles">MyRole</module-option>
</login-module>
</authentication>
</application-policy>
On jboss-app.xml I have added <security-domain>testIdentity</security-domain>
and the same in jboss-web.xml for the war which calls methods on ejbs. I added the same to jboss.xml.
The ejb-jar.xml has assembly-descriptor with role-name set to MyRole for each session bean and method-intf>Home< and method-name>*<
Now I see in the logs;
16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) initialize
16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) Security domain: testIdentity
16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) login
16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) commit, loginOk=true
16:03:50,050 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-4) Setting threadlocal:{WebOSS=[WebOSS]}
Thats good, I managed to get it to authenticate using the IdentityModule right?
16:03:50,067 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-4) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
16:03:50,077 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (http-127.0.0.1-8080-4) method=public abstract businessEntities.DbTimeSessionLocal businessEntities.DbTimeSessionLocalHome.create() throws javax.ejb.CreateException, interface=LocalHome, requiredRoles=Roles()
16:03:50,077 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (http-127.0.0.1-8080-4) Exception:Insufficient method permissions, principal=null, ejbName=DbTimeSessionEJB, method=create, interface=LocalHome, requiredRoles=Roles(), principalRoles=Roles(MyRole,)
16:03:50,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-4) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
Principal: Gavrilo
Principal: Roles(members:MyRole)
:role=Roles(WebOSS,)
16:03:50,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-4) Error in authorize:: org.jboss.security.authorization.AuthorizationException: Authorization Failed:
Why does it fail, and why is the bolded null ?