6 Replies Latest reply on Jan 5, 2011 12:18 PM by krudorf

    Migrating from JBoss 4 to JBoss 6 - JAAS problems

    krudorf

           Hi,

       

      I have an ear containing two .wars and one jar containing enterprise beans. This setup worked fine on JBoss 4.

       

      When I try to deploy the same application to JBoss 6 (after solving alot of jar-hell problems and modifying the project structure to be in line with Java EE 6 standards), now I am stuck on JAAS-related problems. First I had "Missing users.properties file" / "Authentication failed". I tried adding to jboss-app and jboss.xml the security-role and security-domain settings (both trying with client-login as security domain and adding my own application policy in serverdir/conf/login-config.xml - using UsersLoginModule, IdentityModule and ConfiguredIdentityModule all without luck). I have some success when adding the users.properties and roles.properties files to serverdir/conf and in those specifying my users and roles. Then the authentication passes, but then authorization fails.

       

      What is required to change or adapt in a project in order to deploy it successfully to JBoss 6? Can I do without JAAS? I dont even want to use it.

      My project looks like this (the relevant parts I can think of)

       

      MainApplication/META-INF/application.xml describes three modules (Backend.jar) (myservices.jar) (and webapp.war)

      and <security-role>
              <description>My app role</description>
              <role-name>MyRole</role-name>
          </security-role>

       

      In the same dir (META-INF) I have jboss-app with this in it:

      <security-domain>client-login</security-domain>
          <security-role>
              <role-name>MyRole</role-name>
              <principal-name>myuser</principal-name>
          </security-role>

       

      Later I have these

      WebApp/WEB-INF/jboss-web.xml and web.xml

      what should they contain relating to security issues? I have tryed adding the security role and principal-name to jboss-web.xml and so on with no success.

      I have added a users.properties and roles.properties file to the WebAPP/src/ directory which should be copyed to WEB-INF and found there on runtime? But it doesnt, then I get missin users.properties.  Where should I put these .properties files in the structure for them to be found on deployment/runtime ?

       

      In the Backend/META-INF/ I have ejb-jar.xml and jboss.xml ejb-jar.xml declares in assembly descriptor an <securiy-role>MyRole</security-role> and thats it. I have tryed adding to jboss.xml security-domain with and without it, aswell as an assembly descriptor with addition to security-role an principal-name.

       

      I have turned on logging in deploy/jboss-logging for the orb.jboss.security and whatever else I found to give me more info. This is what I see in the logs, when I add security-constraint to be client-login in all the jboss-app and jboss-web.xml files.

       

       

      15:01:43,685 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.client-login] (http-127.0.0.1-8080-4) Begin isValid, principal:null, cache info: null
      15:01:43,685 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.client-login] (http-127.0.0.1-8080-4) defaultLogin, principal=null
      15:01:43,685 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-4) Begin getAppConfigurationEntry(client-login), size=11
      15:01:43,686 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-4) End getAppConfigurationEntry(client-login), authInfo=AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.security.ClientLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=restore-login-identity, value=true

       

      15:01:43,689 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Security domain: client-login
      15:01:43,689 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Enabling restore-login-identity mode
      15:01:43,689 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Begin login
      15:01:43,690 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) Obtained login: null, credential.class: null
      15:01:43,690 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) End login
      15:01:43,690 TRACE [org.jboss.security.ClientLoginModule] (http-127.0.0.1-8080-4) commit, subject=Subject:

       

      later...

      Exception:Insufficient method permissions, principal=null, ejbName=MySessionBean, , method=create, interface=LocalHome, requiredRoles=Roles(), principalRoles=Roles()

      ...REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
              Principal: null
      :role=Roles()

       

      This specific session bean I have changed the settings for in the ejb-jar.xml to unchecked.

       

      The problem I think is that my application does not authenticate itself correctly with jboss. How do I do that? Do I need to do it programmaticaly and call LoginContext.login(bla) whenever my webapp wants to call the ejb-beans?

      Help?

       

       

      Update: Now I have used the IdentityModule this is in login-config.xml

       

      <application-policy name="testIdentity">
            <authentication>
               <login-module code="org.jboss.security.auth.spi.IdentityLoginModule" flag="required">
                  <module-option name="principal">Gavrilo</module-option>
                  <module-option name="roles">MyRole</module-option>
               </login-module>
            </authentication>
         </application-policy>

       

       

      On jboss-app.xml I have added <security-domain>testIdentity</security-domain>

      and the same in jboss-web.xml for the war which calls methods on ejbs. I added the same to jboss.xml.

      The ejb-jar.xml has assembly-descriptor with role-name set to MyRole for each session bean and method-intf>Home< and method-name>*<

       

      Now I see in the logs;

      16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) initialize
      16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) Security domain: testIdentity
      16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) login
      16:03:50,038 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-4) commit, loginOk=true

      16:03:50,050 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-4) Setting threadlocal:{WebOSS=[WebOSS]}

       

      Thats good, I managed to get it to authenticate using the IdentityModule right?

       

      16:03:50,067 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-4) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
      16:03:50,077 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (http-127.0.0.1-8080-4) method=public abstract businessEntities.DbTimeSessionLocal businessEntities.DbTimeSessionLocalHome.create() throws javax.ejb.CreateException, interface=LocalHome, requiredRoles=Roles()
      16:03:50,077 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (http-127.0.0.1-8080-4) Exception:Insufficient method permissions, principal=null, ejbName=DbTimeSessionEJB, method=create, interface=LocalHome, requiredRoles=Roles(), principalRoles=Roles(MyRole,)
      16:03:50,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-4) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
              Principal: Gavrilo
              Principal: Roles(members:MyRole)
      :role=Roles(WebOSS,)
      16:03:50,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-4) Error in authorize:: org.jboss.security.authorization.AuthorizationException: Authorization Failed:

       

      Why does it fail, and why is the bolded null ?

        • 1. Re: Migrating from JBoss 4 to JBoss 6 - JAAS problems
          wolfgangknauf

          Hi,

           

          what kind of client tries to access your app? Is it a web client or a standalone Java client?

           

          If it is a web client: how is your authenciation configured (form based, basic, ...)?

          If it is an application client:  is your authentication "compatible" to question 10 of the security FAQ http://community.jboss.org/wiki/SecurityFAQ

           

          Best regards

           

          Wolfgang

          • 2. Re: Migrating from JBoss 4 to JBoss 6 - JAAS problems
            krudorf

            Its a web-app. The enterprise application archive consists of two web archives, and one .jar containing the enterprise beans. This is all deployed at once as one big ear-file.

             

            The authentication&authorization is done manually in the web-app, just plain old servlets+jsp+session and entity beans. The reason to use JAAS at all right now, and not just put <unchecked /> for each session bean, is to sometime in the future migrate to real JAAS.

             

            I would like a way to tell jboss to authenticate the .war as a "myrole" against the .jar.

            • 3. Re: Migrating from JBoss 4 to JBoss 6 - JAAS problems
              wolfgangknauf

              Hi,

               

              you could take a look at the "org.jboss.web.tomcat.security.login.WebAuthentication" class: http://community.jboss.org/wiki/WebAuthentication

               

              So, in some of your servlet, you would call "WebAuthentication.login" with a dummy user/password to authenticate against JAAS.

               

              Hope this helps

               

              Wolfgang

              • 4. Re: Migrating from JBoss 4 to JBoss 6 - JAAS problems
                krudorf

                Hi

                 

                Is there a way to do this without pulling in orb.jboss.web... dependencies? Maybe it is a configuration option, Im not quite sure why this can be put in jboss-app.xml

                 

                <security-domain>testIdentity</security-domain>
                    <security-role>
                        <role-name>MyRole</role-name>
                        <principal-name>Gavrilo</principal-name>
                    </security-role>

                 

                Whats the point of principal-name here? Maybe it can be done with specifying a run-as principal? It says so in the documentation for <assembly-descriptor> in jboss.xml but I dont see where I can do that.

                • 5. Re: Migrating from JBoss 4 to JBoss 6 - JAAS problems
                  wolfgangknauf

                  Hi,

                   

                  I think that the "security-role" element in "jboss-app.xml" defines a mapping beetween roles from your login module to role names in your JavaEE app.

                   

                  Here is a wiki link about the "run-as" identiy. Maybe it is helpful: http://community.jboss.org/wiki/RunAsIdentityCreation

                   

                  Hope this helps

                   

                  Wolfgang

                  • 6. Re: Migrating from JBoss 4 to JBoss 6 - JAAS problems
                    krudorf

                    Hi

                     

                    I have read the RunAsIdentity part and it is not what I want.  It seems the IdentityModule suits better for this purpose. Im not going to authenticate actual users of the web application yet, I just want JAAS as a dummy for now, the web application needs to authenticate itself so it can call the EJB parts.

                     

                    This may be a bug, looking at this output when I have TRACE level on the relevant security parts.

                     

                    I specity a security domain to run under for my whole ear application. And I see it is using the identity module which I specified in login-config.xml

                    <login-module code="org.jboss.security.auth.spi.IdentityLoginModule" flag="required">
                                <module-option name="principal">dummy</module-option>
                                <module-option name="roles">DummyRole</module-option>
                             </login-module>

                     

                    this is in jboss-app.xml as mentioned above.

                    <security-domain>testIdentity</security-domain>
                        <security-role>
                            <role-name>DummyRole</role-name>
                            <principal-name>dummy</principal-name>
                        </security-role>

                     

                    Begin getAppConfigurationEntry(testIdentity), size=12
                    2011-01-05 17:19:57,633 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-2) End getAppConfigurationEntry(testIdentity), authInfo=AppConfigurationEntry[]:
                    [0]
                    LoginModule Class: org.jboss.security.auth.spi.IdentityLoginModule
                    ControlFlag: LoginModuleControlFlag: required
                    Options:
                    name=principal, value=dummy
                    name=roles, value=DummyRole


                    2011-01-05 17:19:57,635 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-2) initialize
                    2011-01-05 17:19:57,635 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-2) Security domain: testIdentity
                    2011-01-05 17:19:57,635 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-2) login
                    2011-01-05 17:19:57,638 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] (http-127.0.0.1-8080-2) commit, loginOk=true

                     

                    So the login works OK it seems.

                     

                    However, right after that I get this,

                     

                    2011-01-05 17:19:57,648 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{dummy=[DummyRole]}
                    2011-01-05 17:19:57,669 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
                    2011-01-05 17:19:57,684 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (http-127.0.0.1-8080-2) method=public abstract businessEn.DbTimeSessionLocal businessEn.DbTimeSessionLocalHome.create() throws javax.ejb.CreateException, interface=LocalHome, requiredRoles=Roles()
                    2011-01-05 17:19:57,684 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (http-127.0.0.1-8080-2) Exception:Insufficient method permissions, principal=null, ejbName=DbTimeSessionEJB, method=create, interface=LocalHome, requiredRoles=Roles(), principalRoles=Roles(DummyRole,)
                    2011-01-05 17:19:57,685 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
                            Principal: dummy
                            Principal: Roles(members:DummyRole)
                    :role=Roles(WebOSS,)
                    2011-01-05 17:19:57,685 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Error in authorize:: org.jboss.security.authorization.AuthorizationException: Authorization Failed:

                     

                    I read the SecurityFAQ and added the ClientLoginModule right after the IdentityModule, and it works aswell but still the principal does not seem to be carried over to the ejb-layer. Why is this?

                     

                    Update:

                    I turned on TRACE for org.jboss.ejb.plugins aswell and can see this after the lines where the IdentityLoginModule performs a loginOk=true on the security-domain testIdentity

                     

                    2011-01-05 18:16:52,991 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.testIdentity] (http-127.0.0.1-8080-2) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@7c2835c8[Subject(1888782313).principals=org.jboss.security.SimplePrincipal@736043662(dummy)org.jboss.security.SimpleGroup@1180020514(Roles(members:DummyRole)),credential.class=null,expirationTime=1294249564427]
                    2011-01-05 18:16:52,991 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.testIdentity] (http-127.0.0.1-8080-2) End isValid, true
                    2011-01-05 18:16:52,991 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] (http-127.0.0.1-8080-2) Authenticated principal=null in security domain=testIdentity

                     

                    So it seems the IdentityModule or the JaasSecurityManagerBase does not succesfully inform the SecurityInterceptor about the authentication?