-
1. Re: security domain
ctomc May 7, 2013 7:40 AM (in response to fcorneli)Hi,
is there any exception/stack trace?
can you enable trace logging for org.jboss.as.security and org.jboss.security packages so it will be easier to track it down.
--
tomaz
-
2. Re: security domain
fcorneli May 7, 2013 8:03 AM (in response to ctomc)The stack trace looks as follows:
13:58:05,631 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000283: Bad password for username c9a2a64a40c77ddd65b5d5c8751ace1cb2572154 13:58:05,632 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.16.Final-redhat-1.jar:4.0.16.Final-redhat-1]
Logging is not revealing much. Only that the helloworld-client security domain login was performed:
14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: jboss.security.security_domain, value: helloworld-client 14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: multi-threaded, value: true 14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: restore-login-identity, value: true 14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: password-stacking, value: null
-
3. Re: security domain
fcorneli May 7, 2013 8:13 AM (in response to fcorneli)OK, didn't put the logging in TRACE. Via TRACE I get on the EAP:
14:04:58,343 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154, cache entry: null 14:04:58,343 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154 14:04:58,344 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 6 14:04:58,344 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule ControlFlag: LoginModuleControlFlag: optional Options: name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.as.security.RealmDirectLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=password-stacking, value=useFirstPass
So seems like the wrong security domain is being picked.
-
4. Re: security domain
fcorneli May 7, 2013 9:35 AM (in response to fcorneli)Just compiled and tried out JBoss AS 7.2.0.Final. Same result, i.e. the client security domain login is OK, but the EJB3 security domain defaults somehow to "other".
15:31:40,575 DEBUG [be.fedict.hsm.ws.impl.JAASSOAPHandler] (http-/127.0.0.1:8080-2) JAAS login: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154 15:31:40,576 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000221: Begin getAppConfigurationEntry(hsm-proxy-client), size: 5 15:31:40,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000224: End getAppConfigurationEntry(hsm-proxy-client), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.ClientLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=multi-threaded, value=true name=restore-login-identity, value=true 15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: jboss.security.security_domain, value: hsm-proxy-client 15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: multi-threaded, value: true 15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: restore-login-identity, value: true 15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: password-stacking, value: null 15:31:40,581 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000240: Begin login method 15:31:40,588 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000351: Obtained auth info from handler, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154, credential class: null 15:31:40,589 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000241: End login method, isValid: true 15:31:40,589 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000242: Begin commit method, overall result: true 15:31:40,607 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) sign 15:31:40,607 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) no user principal 15:31:40,608 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) digest algo: http://www.w3.org/2000/09/xmldsig#sha1 15:31:40,608 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) key alias: test 15:31:40,614 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000200: Begin isValid, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154, cache entry: null 15:31:40,614 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000209: defaultLogin, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154 15:31:40,615 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000221: Begin getAppConfigurationEntry(other), size: 5 15:31:40,615 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule ControlFlag: LoginModuleControlFlag: optional Options: name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.as.security.RealmDirectLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=password-stacking, value=useFirstPass 15:31:40,616 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000236: Begin initialize method 15:31:40,617 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000240: Begin login method 15:31:40,619 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000236: Begin initialize method 15:31:40,619 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000240: Begin login method 15:31:40,626 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000283: Bad password for username c9a2a64a40c77ddd65b5d5c8751ace1cb2572154 15:31:40,627 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000244: Begin abort method 15:31:40,627 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000244: Begin abort method 15:31:40,627 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.15.Final.jar:4.0.15.Final]
-
5. Re: security domain
jaikiran May 7, 2013 9:40 AM (in response to fcorneli)What's the import statement for that @SecurityDomain? You should be using @org.jboss.ejb3.annotation.SecurityDomain.
-
6. Re: security domain
fcorneli May 7, 2013 9:42 AM (in response to fcorneli)Did some more tests, seems like JBoss AS 7.1.x.Final simply doesn't honor @SecurityDomain and @RolesAllowed at all.
-
7. Re: security domain
fcorneli May 7, 2013 9:57 AM (in response to fcorneli)Nevermind:
import org.jboss.ejb3.annotation.SecurityDomain;
versus
import org.jboss.security.annotation.SecurityDomain;
Very funny guys...