12 Replies Latest reply on Nov 13, 2011 9:30 AM by jaikiran

    JBoss 7: Using encrypted datasource password

    juergen.zimmermann

      In JBoss 6 I'm using an encrypted datasource password specified in a file *-jboss-beans.xml. Now I tried the following in standalone/configuration/standalone.xml of JBoss 7:

       

      a) Inside the datasource tag:

      <security>

         <security-domain>verschluesseltesDbPassword</security-domain>

      </security>

       

      b) Inside the security-domains tag:

      <security-domain name="verschluesseltesDbPassword" cache-type="default">

        <authentication>

          <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">

            <module-option name="username" value="swe2"/>

            <module-option name="password" value="..."/>

            <module-option name="managedConnectionFactoryName" value="jboss.jca:name=swe2DS,service=LocalTxCM"/>

          </login-module>

        </authentication>

      </security-domain>

       

      However, I get the following error message when launching the JBoss server. Any hint is appreciated!

      11:03:57,206 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()Unauthenticated caller:null: java.lang.SecurityException: Unauthenticated caller:null

          at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:83)

          at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:979)

          at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:959)

          at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_26]

          at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:958)

          at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:507)

          at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:246)

          at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:241)

          at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:105)

          at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1675)

          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_26]

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_26]

          at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]

        • 1. Re: JBoss 7: Using encrypted datasource password
          jaikiran

          This looks like a bug. Can you please file a JIRA for this here https://issues.jboss.org/browse/AS7

          • 2. Re: JBoss 7: Using encrypted datasource password
            juergen.zimmermann
            • 3. Re: JBoss 7: Using encrypted datasource password
              mmoyses

              Hi Juergen,

              can you please enable trace level logging for org.jboss.security and paste it here?

              • 4. Re: JBoss 7: Using encrypted datasource password
                juergen.zimmermann

                Here is the stacktrace (meanwhile we changed 2 names, namely swe2DS -> jboss/datasources/SweDS and username swe2 -> swe):

                 

                19:38:46,093 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying JDBC-compliant driver class org.h2.Driver (version 1.2)
                19:38:46,103 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1)
                19:38:46,111 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 9.1)
                19:38:46,122 INFO  [org.jboss.as.clustering.infinispan.subsystem] (Controller Boot Thread) Activating Infinispan subsystem.
                19:38:46,261 INFO  [org.jboss.as.naming] (Controller Boot Thread) Activating Naming Subsystem
                19:38:46,283 INFO  [org.jboss.as.naming] (MSC service thread 1-3) Starting Naming Service
                19:38:46,301 INFO  [org.jboss.as.osgi] (Controller Boot Thread) Activating OSGi Subsystem
                19:38:46,323 INFO  [org.jboss.as.security] (Controller Boot Thread) Activating Security Subsystem
                19:38:46,343 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 3.2.0.Beta2
                19:38:46,421 INFO  [org.xnio] (MSC service thread 1-1) XNIO Version 3.0.0.Beta3
                19:38:46,442 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO Implementation Version 3.0.0.Beta3
                19:38:46,849 INFO  [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) An older version 1.1.20 of the Apache Tomcat Native library is installed, while Tomcat recommends version greater then 1.1.21
                19:38:46,857 INFO  [org.jboss.as.ee] (Controller Boot Thread) Activating EE subsystem
                19:38:47,071 INFO  [org.jboss.as.jmx.JMXConnectorService] (MSC service thread 1-2) Starting remote JMX connector
                19:38:47,103 INFO  [org.jboss.as.remoting] (MSC service thread 1-1) Listening on /127.0.0.1:9999
                19:38:47,444 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-2) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1734b48
                19:38:47,445 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1249e1a
                19:38:47,445 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-4) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1495bb8
                19:38:47,492 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-4) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@9ba045
                19:38:47,494 INFO  [org.jboss.as.connector] (MSC service thread 1-4) Starting JCA Subsystem (JBoss IronJacamar 1.0.0.CR2)
                19:38:47,538 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) Bound data source [java:jboss/datasources/ExampleDS]
                19:38:47,539 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) Bound data source [java:jboss/datasources/SwaDS]
                19:38:47,601 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) Begin isValid, principal:null, cache entry: null
                19:38:47,601 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) defaultLogin, principal=null
                19:38:47,603 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (MSC service thread 1-1) Begin getAppConfigurationEntry(verschluesseltesDbPassword), size=4
                19:38:47,718 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (MSC service thread 1-1) End getAppConfigurationEntry(verschluesseltesDbPassword), authInfo=AppConfigurationEntry[]:
                [0]
                LoginModule Class: org.jboss.resource.security.SecureIdentityLoginModule
                ControlFlag: Anmeldemodul-Steuerflag: required
                Options:
                name=managedConnectionFactoryName, value=jboss.jca:name=jboss/datasources/sweDS,service=LocalTxCM
                name=username, value=swe
                name=password, value=****

                19:38:47,729 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) Login failure: javax.security.auth.login.LoginException: Die Anmeldemodulklasse kann nicht gefunden werden: org/jboss/resource/security/SecureIdentityLoginModule
                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808) [:1.6.0_26]
                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [:1.6.0_26]
                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [:1.6.0_26]
                at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_26]
                at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [:1.6.0_26]
                at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [:1.6.0_26]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411)
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:345)
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:154)
                at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:82)
                at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:979)
                at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:959)
                at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_26]
                at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:958)
                at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:507)
                at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:246)
                at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:241)
                at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:105)
                at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1765)
                at org.jboss.msc.service.ServiceControllerImpl$ClearTCCLTask.run(ServiceControllerImpl.java:2291)
                at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_26]
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_26]
                at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]

                • 5. Re: JBoss 7: Using encrypted datasource password
                  juergen.zimmermann

                  The missing class org/jboss/resource/security/SecureIdentityLoginModule cannot be found inside the JBossAS 7 distribution (I'm currently using Jenkins build 1402) and at https://repository.jboss.org/nexus/index.html

                  • 6. Re: JBoss 7: Using encrypted datasource password
                    jesper.pedersen

                    Marcus, if you change the LoginModule locations we don't use org.jboss.resource anymore for JCA. It is org.jboss.jca now.

                     

                    But I think it would best to move them to a security specific package name - like say, org.picketbox.loginmodule.

                    • 7. Re: JBoss 7: Using encrypted datasource password
                      juergen.zimmermann

                      SecureIdentityLoginModule is in %JBOSS_HOME%\modules\org\picketbox\main\picketbox-4.0.0.CR1.jar

                      • 8. Re: JBoss 7: Using encrypted datasource password
                        mmoyses

                        Yes, the class is there but there is a classloading issue preventing it to be found. I will fix it for future versions.

                        • 9. Re: JBoss 7: Using encrypted datasource password
                          mechevar

                          Just want to add that I too ran into this exact same issue as well.  If any of the nightly builds address this issue, I certainly would like to know.  Thanks.

                           

                          http://community.jboss.org/message/618489#618489

                          • 10. Re: JBoss 7: Using encrypted datasource password
                            mmoyses

                            I sent a pull request for https://issues.jboss.org/browse/AS7-1072 that should fix this. As soon as it's merged upstream you will be able to do a snapshot build.

                            • 11. Re: JBoss 7: Using encrypted datasource password
                              redmond007

                              I'm trying to use encrypted data source passwords and I'm receiving the same

                               

                              Exception during createSubject()Unauthenticated caller:null: java.lang.SecurityException: Unauthenticated caller:null

                               

                              error that the original poster was receiving.

                               

                              I'm running JBoss AS 7.0.0 Final.  Should this issue be fixed in my version?  Is there any available version that I can use to fix this problem?  Thank you!

                              • 12. Re: JBoss 7: Using encrypted datasource password
                                jaikiran

                                Looking at the commit logs, it didn't make it to 7.0.0. Try this against 7.0.2 which has been released some time back.