2 Replies Latest reply on Oct 12, 2011 6:30 PM by mandelbr0t

Yet another JBoss 5.1/EJB3 security question

mandelbr0t Oct 12, 2011 4:39 PM

I've been all over the web looking for an answer to this question. JBoss 5.1 seems to be outright ignoring the application policy I have defined in login-config.xml. The EJB is secured correctly, but it is using the wrong login mechanism.

<application-policy name="mine">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

<module-option name="dsJndiName">java:/MyDS</module-option>

<module-option name="principalsQuery">

SELECT passwordHash FROM account WHERE email = ?

</module-option>

<module-option name="rolesQuery">

SELECT roleName, 'Roles' FROM account_roles WHERE email = ?

</module-option>

<module-option name="hashAlgorithm">MD5</module-option>

<module-option name="hashEncoding">BASE64</module-option>

<module-option name="unauthenticatedIdentity">guest</module-option>

</login-module>

</application-policy>

The associated EJB Session bean:

import org.jboss.ejb3.annotations.SecurityDomain; // yes, I am using the correct annotation

@Stateless

@RemoteBinding(jndiName="mine/AccountHome/remote")

@SecurityDomain("mine")

@DeclareRoles({"admin", "member"})

@RolesAllowed({"admin"})

public class AccountHome implements AccountHomeRemote {

...

@PermitAll

public boolean changePassword(Account a, String oldPass, String newPass) {

...

}

However, when I try to deploy the EAR containing this EJB JAR, I get the following exception:

ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files

java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found

at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)

at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)

at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)

at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

...

Why is JBoss trying to load the UserRolesLoginModule when I have specifically stated that I want to use DatabaseServerLoginModule?

1. Re: Yet another JBoss 5.1/EJB3 security question

mandelbr0t Oct 12, 2011 5:50 PM (in response to mandelbr0t)

OK, /facepalm for disabling HsqlDbRealm in login-config.xml

Enabling TRACE logging reveals the following:

2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.PolicyConfig, localName: application-policy
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.PolicyConfig, AuthenticationInfo: mine
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: login-module
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option
2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option
2011-10-12 15:42:51,475 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) Added ApplicationPolicy to PolicyConfig, name: mine

But when connecting from an EJB application client using SecurityClient.setJAAS, the following problem occurs:

2011-10-12 15:46:15,394 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.mine] (WorkerThread#0[127.0.0.1:58448]) Begin isValid, principal:me@my.ca, cache info: null
2011-10-12 15:46:15,394 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.mine] (WorkerThread#0[127.0.0.1:58448]) defaultLogin, principal=me@my.ca
2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) Begin getAppConfigurationEntry(mine), size=12
2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) getAppConfigurationEntry(mine), no entry in appConfigs, tyring parentCont: null
2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) getAppConfigurationEntry(mine), no entry in parentConfig, trying: other
2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) End getAppConfigurationEntry(mine), authInfo=AppConfigurationEntry[]:
[0]

So, because JBoss can't find the application policy, it is trying "other", which explains the previous post's exception. However, it appears that the login-config.xml was correctly parsed on startup, and did in fact create a policy called "mine". So, what am I missing?
Actions
2. Re: Yet another JBoss 5.1/EJB3 security question

mandelbr0t Oct 12, 2011 6:30 PM (in response to mandelbr0t)

And /facepalm again. The login-module stuff is supposed to be between <authentication> tags. Oops.
Actions

Go to original post