5 Replies Latest reply on Apr 19, 2012 10:47 PM by maumartinssc

    JAAS Database on Jboss AS 7.1.1.Final

    maumartinssc
    maumartinssc Apr 17, 2012 1:04 PM

      Hello, I have this configuration:

       

      standalone.xml:

       

      <subsystem xmlns="urn:jboss:domain:security:1.1">
          <security-domains>
                <security-domain name="MaterialWeb">
                    <authentication>
                        <login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="java:jboss/datasources/OracleFloripaMaterialWeb"/>
                            <module-option name="principalsQuery" value="SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)"/>
                            <module-option name="rolesQuery" value="SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, 
                                                                                           CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND 
                                                                                           UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA"/>
                        </login-module>
                    </authentication>
                </security-domain>
       </security-domains>
</subsystem>

       

      jboss-web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>java:/jaas/MaterialWeb</security-domain>   
</jboss-web>

       

       

      web.xml:

       

      <security-constraint>
      <web-resource-collection>
          <web-resource-name>Url de autenticacao</web-resource-name>
          <url-pattern>/material.html</url-pattern>
     </web-resource-collection>
     <auth-constraint>
          <role-name>*</role-name>
     </auth-constraint>
     <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
          <form-login-page>/Login.html</form-login-page>
          <form-error-page>/index.jsp</form-error-page>
     </form-login-config>
</login-config>

       

      and when I try login, show the message: HTTP Status 403 - Access to the requested resource has been denied

      User and pass are corrects. I test both queries (principalsQuery, rolesQuery) and work. Both queries show result correct with my user at pl/sql program.

       

      If I change the standalone.xml

       

      <subsystem xmlns="urn:jboss:domain:security:1.1">
                <security-domains>
                      <security-domain name="MaterialWeb" cache-type="default">
                          <authentication>
                              <login-module code="Database" flag="required">
                                  <module-option name="dsJndiName" value="java:jboss/datasources/OracleFloripaMaterialWeb"/>
                                  <module-option name="principalsQuery" value="SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)"/>
                                  <module-option name="rolesQuery" value="SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, 
                                                                                                 CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND 
                                                                                                 UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA"/>
                                  <module-option name="hashAlgorithm" value="SHA-256"/>
                                  <module-option name="hashEncoding" value="base64"/>
                              </login-module>
                          </authentication>
                      </security-domain>
             </security-domains>
      </subsystem>

       

      JBoss redirect to page: index.jsp configured at web.xml

           <form-error-page>/index.jsp</form-error-page>

       

      This application work  at jboss 5.1, but when I migrated to JBoss 7.1, its didnt work.

      Anyone can help me?

        • 1. Re: JAAS Database on Jboss AS 7.1.1.Final
          wolfgangknauf
          wolfgangknauf Apr 19, 2012 4:58 AM (in response to maumartinssc)

          Hi,

           

          for previous jboss versions, I would have suggested to activate logging of the security layer as described here: https://community.jboss.org/wiki/SecurityFAQ (question 4). But I did not test whether this guide is still valid for AS7. Could you give it a try? If it works, you should see e.g. security errors. Maybe there is something wrong with your config.

          If you succeed in activating the logging, you might update the wiki - probably it needs updates for AS7.

           

          As far as I remember, in "jboss-web.xml" you don't need the "java:/jaas/" prefix, the name of the security domain should be enough.

           

          Hope this helps

           

          Wolfgang

            • Actions
          • 2. Re: JAAS Database on Jboss AS 7.1.1.Final
            maumartinssc
            maumartinssc Apr 19, 2012 4:01 PM (in response to wolfgangknauf)

            Hi Wolfgang,

             

            I activated logging and show these messages bellow, but I understand that login normal in the application and when redirect to original path (page: /material.html) it didnt work.

             

             

            16:05:48,740 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
16:05:48,742 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request POST /material/j_security_check
16:05:48,744 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authenticating username 'ATIMO'
16:05:48,746 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Begin isValid, principal:ATIMO, cache entry: null
16:05:48,749 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=ATIMO
16:05:48,751 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(MaterialWeb), size=4
16:05:48,759 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(MaterialWeb), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=principalsQuery, value=SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)
name=dsJndiName, value=java:jboss/datasources/OracleFloripaMaterialWeb
name=rolesQuery, value=SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA

16:05:48,775 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) initialize
16:05:48,777 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Security domain: MaterialWeb
16:05:48,778 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) DatabaseServerLoginModule, dsJndiName=java:jboss/datasources/OracleFloripaMaterialWeb
16:05:48,781 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) principalsQuery=SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)
16:05:48,783 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) rolesQuery=SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA
16:05:48,788 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendResume=true
16:05:48,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) login
16:05:48,792 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendAnyTransaction
16:05:48,795 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?), with username: ATIMO
16:05:48,800 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Obtained user password
16:05:48,801 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) resumeAnyTransaction
16:05:48,803 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) User 'ATIMO' authenticated, loginOk=true
16:05:48,805 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) commit, loginOk=true
16:05:48,808 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) getRoleSets using rolesQuery: SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA, username: ATIMO
16:05:48,816 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendAnyTransaction
16:05:48,818 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA, with username: ATIMO
16:05:48,836 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Assign user to role MAT_CAD_CONVEN
16:05:48,838 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) resumeAnyTransaction
16:05:48,841 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@c68de1, subject=Subject(167926).principals=org.jboss.security.SimplePrincipal@17630026(ATIMO)org.jboss.security.SimpleGroup@16568366(CallerPrincipal(members:ATIMO))org.jboss.security.SimpleGroup@16568366(Roles(members:MAT_CAD_CONVEN))
16:05:48,846 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) End isValid, true
16:05:48,848 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) User: ATIMO is authenticated
16:05:48,853 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authentication of 'ATIMO' was successful
16:05:48,855 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Redirecting to original '/material/material.html'
16:05:48,857 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed authenticate() test ??/material/j_security_check
16:05:48,859 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
16:05:48,860 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
16:05:48,874 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
16:05:48,875 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Restoring principal info from cache
16:05:48,877 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /material/material.html
16:05:48,879 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Url de autenticacao]' against GET /material.html --> true
16:05:48,881 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
16:05:48,882 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   User data constraint has no restrictions
16:05:48,884 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
16:05:48,885 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Restore request from session '1PftschzfSk1mqgGkARkCeZD.undefined'
16:05:48,887 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Authenticated 'ATIMO' with type 'FORM'
16:05:48,889 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Proceed to restored request
16:05:48,890 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling accessControl()
16:05:48,892 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking roles GenericPrincipal[ATIMO(MAT_CAD_CONVEN,)]
16:05:48,894 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) hasResourcePermission:RealmBase says:false::Authz framework says:true:final=false
16:05:48,895 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed accessControl() test
16:05:48,897 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
16:05:48,898 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
16:05:48,913 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
16:05:48,915 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Restoring principal info from cache
16:05:48,916 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /material/material.html
16:05:48,918 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) We have cached auth type FORM for principal GenericPrincipal[ATIMO(MAT_CAD_CONVEN,)]
16:05:48,920 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Url de autenticacao]' against GET /material.html --> true
16:05:48,922 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
16:05:48,924 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   User data constraint has no restrictions
16:05:48,925 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
16:05:48,927 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Already authenticated 'ATIMO'
16:05:48,928 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling accessControl()
16:05:48,930 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking roles GenericPrincipal[ATIMO(MAT_CAD_CONVEN,)]
16:05:48,931 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) hasResourcePermission:RealmBase says:false::Authz framework says:true:final=false
16:05:48,933 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed accessControl() test
16:05:48,935 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
16:05:48,936 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
16:09:26,828 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862566828 sessioncount 0
16:09:26,831 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 3 expired sessions: 0
16:09:26,833 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862566833 sessioncount 1
16:09:26,835 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0
16:10:26,844 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862626844 sessioncount 0
16:10:26,846 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0
16:10:26,848 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862626848 sessioncount 1
16:10:26,851 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 3 expired sessions: 0
16:11:26,859 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862686859 sessioncount 0
16:11:26,861 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0
16:11:26,863 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862686863 sessioncount 1
16:11:26,865 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0

             

            Att,

             

            Maurício

              • Actions
            • 3. Re: JAAS Database on Jboss AS 7.1.1.Final
              wolfgangknauf
              wolfgangknauf Apr 19, 2012 5:33 PM (in response to maumartinssc)

              That's strange, because the JBoss authentication seems to have worked, but nevertheless the web layer does not allow access.

               

              As I didn't have tested security in AS7, this is new to me, too.

               

              But two ideas:

              1) https://community.jboss.org/wiki/JBossAS7SecurityAuditing has a war file attached. Here, "web.xml" contains an element "realm-name" in the "login-config" element. Maybe this is required now. But I did not find any hints on whether this Realm name is used in any other place. Maybe it just has to be present.


              2) https://community.jboss.org/wiki/JBossAS7SecurityDomainModel links to https://community.jboss.org/wiki/PrimerOnWebSecurityInJBossAS , and here I find this:

               

              {quote}
              In JBoss AS 7.1 and beyond, for the web authorization, the JBoss Authorization Modules are not called until you specify the <use-jboss-authorization/> flag in jboss-web.xml
              {quote}

               

              So, maybe you should try this flag.

               

              But according to the code for "JBossWebRealm.hasResourcePermission" at https://github.com/jbossas/jboss-as/blob/master/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java seeem to do MORE security checks if this flag is set. So it should work even less with this flag ;-)

               

              Best regards

               

              Wolfgang

                • Actions
              • 4. Re: JAAS Database on Jboss AS 7.1.1.Final
                sfcoy
                sfcoy Apr 19, 2012 9:39 PM (in response to maumartinssc)

                Have a look at Problems with basic authentication with JBoss 7.1.1 and see if you can spot the solution in there...

                  • Actions
                • 5. Re: JAAS Database on Jboss AS 7.1.1.Final
                  maumartinssc
                  maumartinssc Apr 19, 2012 10:47 PM (in response to sfcoy)

                  Hi Stephen, your link solve my problem.

                   

                  But to complement, if you wish keep "*" in your web.xml, add <security-role><role-name>*</role-name></security-role> after </login-config>.

                   

                  Thanks so much Stephen and Wolfgang.

                   

                  Att.

                   

                  Maurício

                  1 of 1 people found this helpful
                    • Actions