6 Replies Latest reply on Jul 6, 2012 1:22 PM by jamesmarkchan

    Help with JBoss 6 Login using DatabaseServerLoginModule

    jamesmarkchan

      Hi,

       

      I'm a newbie with jboss 6 (i do have some experience with glassfish). I'm wondering if anyone would be willing to help me troubleshoot my login issue with jboss or help suggest a better approach. Basically i'm getting a ServeletException: Failed to authenticate a principal when using the DatabaseServerLoginModule.

       

      Here is my setup:

       

          <application-policy name = "Avengers">

            <authentication>

              <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">

                 <module-option name = "dsJndiName">java:/jdbc/thor_ds</module-option>

                 <module-option name = "principalsQuery">SELECT password FROM usertable WHERE username = ?</module-option>

                 <module-option name="rolesQuery" value="SELECT groupid, 'Roles' FROM grouptable WHERE username=?" />

                 <!--<module-option name="rolesQuery" value="SELECT gt.groupid as 'userRoles', gt.groupid as 'Roles' FROM grouptable as gt WHERE username=?" />-->

                 <module-option name="hashAlgorithm">MD5</module-option>

                 <module-option name="hashEncoding">HEX</module-option>

              </login-module>

            </authentication>

          </application-policy>

       

       

      jboss-web.xml

          <jboss-web>

            <context-root>/Avengers</context-root>

            <security-domain>java:/jaas/Avengers</security-domain>

          </jboss-web>

       

      mysql-init.sql

       

          create table usertable (

              username varchar(128) NOT NULL PRIMARY KEY,

              password varchar(128) NOT NULL,

              email varchar(128) NOT NULL,

              firstname varchar(128) NOT NULL,

              lastname varchar(128) NOT NULL

          );

       

          create table grouptable(

              username varchar(128) NOT NULL,

              groupid  varchar(128) NOT NULL,

              CONSTRAINT GROUP_PK PRIMARY KEY(username, groupid),

              CONSTRAINT USER_FK FOREIGN KEY(username) REFERENCES usertable(username)

                  ON DELETE CASCADE ON UPDATE RESTRICT

          );

       

          insert into usertable(username,password,email,firstname,lastname)

              values ('admin', '21232f297a57a5a743894a0e4a801fc3','','','');

          insert into grouptable(username,groupid) values ('admin', 'USER');

          insert into grouptable(username,groupid) values ('admin', 'ADMIN');

       

      Snippet from web.xml

       

          <security-constraint>

              <display-name>Admin</display-name>

              <web-resource-collection>

                  <web-resource-name>Admin Views</web-resource-name>

                  <url-pattern>/admin/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>ADMIN</role-name>

              </auth-constraint>

          </security-constraint>

          <security-constraint>

              <display-name>Compass Web</display-name>

              <web-resource-collection>

                  <web-resource-name>Monitoring Module</web-resource-name>

                  <url-pattern>/monitor/*</url-pattern>

              </web-resource-collection>

              <web-resource-collection>

                  <web-resource-name>Core Web Module</web-resource-name>

                  <url-pattern>/main/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>USER</role-name>

                  <role-name>ADMIN</role-name>

              </auth-constraint>

          </security-constraint>

          <security-constraint>

              <display-name>Login</display-name>

              <web-resource-collection>

                  <web-resource-name>Login Pages</web-resource-name>

                  <url-pattern>/login/*</url-pattern>

              </web-resource-collection>

          </security-constraint>

          <login-config>

              <auth-method>FORM</auth-method>

              <realm-name>avengers</realm-name>

              <form-login-config>

                  <form-login-page>/login/login.xhtml</form-login-page>

                  <form-error-page>/login/error.xhtml</form-error-page>

              </form-login-config>

          </login-config>

          <security-role>

              <description/>

              <role-name>ADMIN</role-name>

          </security-role>

          <security-role>

              <description/>

              <role-name>USER</role-name>

          </security-role>

       

      My UserBean.login()

       

          public String login() {

       

               System.out.println("user "+username+" is attempting to login...");

       

              FacesContext context = FacesContext.getCurrentInstance();

              HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();

              try {

                  request.login(this.username, this.password);

                  this.cUser = Utils.getEntityManager().find(MyUser.class, username);

                  System.out.println("User "+username+" successfully logged in...");

              } catch (ServletException e) {

                  // Handle unknown username/password in request.login().

                  context.addMessage(null, new FacesMessage("Invalid Login Credentials"));

                  System.err.println("Invalid Login Credentials");

                  e.printStackTrace();

                  return "/login/error.xhtml";

              }

       

              return "/main/index.xhtml";

          }

      Any guidance would be greatly welcome.

       

      Thanks!

        • 1. Re: Help with JBoss 6 Login using DatabaseServerLoginModule
          sfcoy

          Is this failing in your login() method above, or somewhere else?

          • 2. Re: Help with JBoss 6 Login using DatabaseServerLoginModule
            ebross

            The error is failing in login,  as the stack trace shows, but the no print out of the following line:

            System.out.println("user "+username+" is attempting to login...");

             

            Did you edit the stack trace? If so, is the username == 'admin'?

            • 3. Re: Help with JBoss 6 Login using DatabaseServerLoginModule
              sfcoy

              Didn't spot the stack trace hiding in there. (It's not necessary to use pastebin on the JBoss forums).

               

              If you add this:

               

              {code:xml}

                 <logger category="org.jboss.security.auth">

                   <level name="TRACE"/>

                 </logger>

              {code}

               

              to your jboss-logging.xml file we should get some hints as to what is happening.

              1 of 1 people found this helpful
              • 4. Re: Help with JBoss 6 Login using DatabaseServerLoginModule
                ebross

                If you click the " ...Basically i'm getting a ServeletException: Failed to authenticate a principal", you will find login() there.

                 

                 

                • 5. Re: Help with JBoss 6 Login using DatabaseServerLoginModule
                  jamesmarkchan

                  Hi Stephen,

                   

                  I added the trace config and now have more info below. Its interesting that my rolesQuery does not have a value. I'm going to try revising the config file so it is more like my principalsQuery

                   

                   

                  09:41:07,091 INFO  [STDOUT] user admin is attempting to login...

                  09:41:07,093 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(Avengers), size=12

                  09:41:07,093 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(Avengers), authInfo=AppConfigurationEntry[]:

                  [0]

                  LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule

                  ControlFlag: LoginModuleControlFlag: required

                  Options:

                  name=principalsQuery, value=SELECT password FROM usertable WHERE username = ?

                  name=dsJndiName, value=java:/jdbc/thor_ds

                  name=rolesQuery, value=

                   

                   

                  09:41:07,153 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize

                  09:41:07,154 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Security domain: Avengers

                  09:41:07,156 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/jdbc/thor_ds

                  09:41:07,158 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT password FROM usertable WHERE username = ?

                  09:41:07,160 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=

                  09:41:07,163 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendResume=true

                  09:41:07,168 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login

                  09:41:07,202 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction

                  09:41:07,204 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT password FROM usertable WHERE username = ?, with username: admin

                  09:41:07,207 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Obtained user password

                  09:41:07,208 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction

                  09:41:07,210 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=admin

                  09:41:07,212 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort

                  09:41:07,216 ERROR [STDERR] Invalid Login Credentials

                  09:41:07,218 ERROR [STDERR] javax.servlet.ServletException: Failed to authenticate a principal

                  09:41:07,220 ERROR [STDERR]     at org.apache.catalina.connector.Request.login(Request.java:3188)

                  09:41:07,222 ERROR [STDERR]     at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1082)

                  09:41:07,224 ERROR [STDERR]     at avenger.UserBean.login(UserBean.java:445)

                  • 6. Re: Help with JBoss 6 Login using DatabaseServerLoginModule
                    jamesmarkchan

                    It is working now! I had to modify the bolded items below which was basically specifying the rolesQuery as content of the module option instead of the value attribute and changing my hash encoding to hex instead of base64. Here is my working login-config.xml file. See initial post to see how not to specify the rolesQuery in JBoss 6. Thank you Stephen for your help

                     

                       <application-policy name="Avengers">

                           <authentication>

                              <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">

                                 <module-option name="dsJndiName">java:/jdbc/thor_ds</module-option>

                                 <module-option name="principalsQuery">SELECT password FROM usertable WHERE username = ?</module-option>

                                 <module-option name="rolesQuery">SELECT groupid, 'Roles' FROM grouptable WHERE username=?</module-option>

                                 <module-option name="hashAlgorithm">MD5</module-option>

                                 <module-option name="hashEncoding">HEX</module-option>

                                 <!-- <module-option name="hashEncoding">base64</module-option> -->

                                 <!-- <module-option name="hashAlgorithm">SHA-1</module-option> -->

                                 <!-- <module-option name="digestCallback">com.myclass.MyDigestCallback</module-option> -->

                              </login-module>

                           </authentication>

                        </application-policy>