0 Replies Latest reply on Mar 13, 2012 6:22 AM by mattdarwin

    java.lang.SecurityException: Unauthenticated caller:null when encrypting datasource passwords in AS 5.0.1GA

    mattdarwin

      I'm trying to encrypt my database password using a JBOSS security domain.  I've followed the instructions in the documentation and it all seems pretty simple.  I'm using jboss 5.0.1GA.  It was working fine before I tried to set up password encryption.

       

      The datasource is defined in oracle-ds.xml as follows:

       

      <datasources>
       
      <local-tx-datasource>
         
      <jndi-name>OracleDS</jndi-name>
         
      <connection-url>jdbc:oracle:thin:@dbhost:1521:db</connection-url>
         
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
         
      <!-- app works fine when you use unencrypted password like this
          <user-name>username</user-name>
          <password>unencrypted_pass</password>
          -->

         
      <!-- Use the security domain defined in conf/login-config.xml for username and encrypted password-->
         
      <security-domain>Encrypt-my-Password</security-domain>
      ....etc

       

      The login-config.xml file contains this entry:

         <application-policy name="Encrypt-my-Password">
                     
      <authentication>
                         
      <login-module
                                 
      code="
      org.jboss.resource.security.SecureIdentityLoginModule"
                                 
      flag="required">
                                 
      <module-option name="username">databaseUsername</module-option>
                                 
      <module-option name="password">232487h4873hf4</module-option>
                                 
      <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
                         
      </login-module>
                 
      </authentication>
         
      </application-policy>

       

      As soon as I started using this config the application throws an exception as follows when you try to access the datasource:

      java.lang.SecurityException: Unauthenticated caller:null
          org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)
          org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
          org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
          org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
          org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)
          org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:92)
          org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:111)
          org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101)
          org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325)
          org.hibernate.cfg.AnnotationConfiguration.buildSessionFactory(AnnotationConfiguration.java:867)
          org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:669)
          org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)
          javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:52)
          javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:34)
          com.mycompany.er.batch.data.DbHelper.createEntityManager(DbHelper.java:30)
          com.mycompany.er.batch.data.DbHelper.createAndBegin(DbHelper.java:49)
          com.mycompany.er.basman.HibernateTransactionFilter.doFilter(HibernateTransactionFilter.java:53)
          org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

      I'm trying to encrypt my database password using a JBOSS security domain.

      The datasource is defined in oracle-ds.xml as follows:

      <datasources>
       
      <local-tx-datasource>
         
      <jndi-name>OracleDS</jndi-name>
         
      <connection-url>jdbc:oracle:thin:@dbhost:1521:db</connection-url>
         
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
         
      <!-- app works fine when you use unencrypted password like this
          <user-name>username</user-name>
          <password>unencrypted_pass</password>
          -->

         
      <!-- Use the security domain defined in conf/login-config.xml for username and encrypted password-->
         
      <security-domain>Encrypt-my-Password</security-domain>
      ....etc

      The login-config.xml file contains this entry:

         <application-policy name="Encrypt-my-Password">
                     
      <authentication>
                         
      <login-module
                                 
      code="com.mycompany.global.er.util.ErSecureIdentityLoginModule"
                                 
      flag="required">
                                 
      <module-option name="username">databaseUsername</module-option>
                                 
      <module-option name="password">232487h4873hf4</module-option>
                                 
      <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
                         
      </login-module>
                 
      </authentication>
         
      </application-policy>

      NB the ErSecureIdentityLoginModule is a class already used to encrypt / decrypt DB passwords in another application, where it works fine.

      As soon as I started using this config the application throws an exception as follows when you try to access the datasource:

      java.lang.SecurityException: Unauthenticated caller:null
          org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)
          org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
          org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
          org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
          org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)
          org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:92)
          org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:111)
          org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101)
          org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325)
          org.hibernate.cfg.AnnotationConfiguration.buildSessionFactory(AnnotationConfiguration.java:867)
          org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:669)
          org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)
          javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:52)
          javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:34)
          com.mycompany.er.batch.data.DbHelper.createEntityManager(DbHelper.java:30)
          com.mycompany.er.batch.data.DbHelper.createAndBegin(DbHelper.java:49)
          com.mycompany.er.basman.HibernateTransactionFilter.doFilter(HibernateTransactionFilter.java:53)
          org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

      I downloaded the source code for jboss 5.0.1GA and debugged with TRACE enabled.  There is an interesting stack trace produced:

      2012-03-12 18-13-40:Login failure
      javax.security.auth.login.LoginException: java.lang.NullPointerException
              at org.jboss.resource.security.SubjectActions$AddPrincipalsAction.run(SubjectActions.java:101)
              at java.security.AccessController.doPrivileged(Native Method)
              at org.jboss.resource.security.SubjectActions.addPrincipals(SubjectActions.java:139)
              at org.jboss.resource.security.ConfiguredIdentityLoginModule.login(ConfiguredIdentityLoginModule.java:98)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              at java.lang.reflect.Method.invoke(Method.java:597)
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
              at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
              at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
              at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
              at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:90)

      The NullPointerException refers to this line of code in org.jboss.resource.security.SubjectActions:


            static class AddPrincipalsAction implements PrivilegedAction
             {
                Subject subject;
                Principal p;
                AddPrincipalsAction(Subject subject, Principal p)
                {
                   this.subject = subject;
                   this.p = p;
                }
                public Object run()
                {
                   subject.getPrincipals().add(p);
                   return null;
                }
             }

      However this doesn't help much, and I can't understand what I'm doing wrong. Help!