7 Replies Latest reply on May 7, 2013 9:57 AM by fcorneli

    security domain

    fcorneli

      Hi,

       

       

      There seems to be some regression in the security domain JAAS login mechanism.

      I use a custom JAX-WS SOAP handler to perform a JAAS login towards a client security domain. Example config:

      <security-domain name="helloworld-client" cache-type="default">
          <authentication>
              <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                  <module-option name="multi-threaded" value="true"/>
                  <module-option name="restore-login-identity" value="true"/>
              </login-module>
         </authentication>
      </security-domain>
      

      So in my JAX-WS SOAP handler I do something like (actual credentials based on WS-Security stuff):

      UsernamePasswordHandler usernamePasswordHandler = new UsernamePasswordHandler(username, credential);
      LoginContext loginContext = new LoginContext("helloworld-client", usernamePasswordHandler);
      loginContext.login();
      

       

      Then in the EJB3 container I have RBAC protected EJBs. Example:

      @Stateless
      @SecurityDomain("helloworld")
      public class HelloworldBean {
           @RolesAllowed("hello")
           public String hello() {
                return "hello world";
           }
      }
      

      For this security domain I have a custom JAAS login module, configured as follows:

      <security-domain name="helloworld">
                <authentication>
                          <login-module code="be.mypackage.HelloworldLoginModule" flag="required"/>
                </authentication>
      </security-domain>
      

       

      With HelloworldLoginModule a straight forward (JBoss, so with a "Roles" group) JAAS login module.

       

      Now, all of this works fine on JBoss AS 7.1.1.Final, 7.1.2.Final, and 7.1.3.Final.

      But this completely fails on both JBoss EAP 6.1.0.Alpha1 and 6.1.0.Beta1: "Invalid User"

       

      Anyone else fighting with JBoss EAP 6.1 security domains like I do?

       

       

      Kind Regards,
      Frank.

        • 1. Re: security domain
          ctomc

          Hi,

           

          is there any exception/stack trace?

           

          can you enable trace logging for org.jboss.as.security and org.jboss.security packages so it will be easier to track it down.

           

           

           

          --

          tomaz

          • 2. Re: security domain
            fcorneli

            The stack trace looks as follows:

            13:58:05,631 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000283: Bad password for username c9a2a64a40c77ddd65b5d5c8751ace1cb2572154
            13:58:05,632 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
                    at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.16.Final-redhat-1.jar:4.0.16.Final-redhat-1]
            

            Logging is not revealing much. Only that the helloworld-client security domain login was performed:

            14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: jboss.security.security_domain, value: helloworld-client
            14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: multi-threaded, value: true
            14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: restore-login-identity, value: true
            14:01:13,217 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000350: Module option: password-stacking, value: null
            
            • 3. Re: security domain
              fcorneli

              OK, didn't put the logging in TRACE. Via TRACE I get on the EAP:

              14:04:58,343 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154, cache entry: null
              14:04:58,343 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154
              14:04:58,344 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 6
              14:04:58,344 TRACE [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
              [0]
              LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
              ControlFlag: LoginModuleControlFlag: optional
              Options:
              name=password-stacking, value=useFirstPass
              [1]
              LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
              ControlFlag: LoginModuleControlFlag: required
              Options:
              name=password-stacking, value=useFirstPass
              

              So seems like the wrong security domain is being picked.

              • 4. Re: security domain
                fcorneli

                Just compiled and tried out JBoss AS 7.2.0.Final. Same result, i.e. the client security domain login is OK, but the EJB3 security domain defaults somehow to "other".

                15:31:40,575 DEBUG [be.fedict.hsm.ws.impl.JAASSOAPHandler] (http-/127.0.0.1:8080-2) JAAS login: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154
                15:31:40,576 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000221: Begin getAppConfigurationEntry(hsm-proxy-client), size: 5
                15:31:40,578 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000224: End getAppConfigurationEntry(hsm-proxy-client), AuthInfo: AppConfigurationEntry[]:
                [0]
                LoginModule Class: org.jboss.security.ClientLoginModule
                ControlFlag: LoginModuleControlFlag: required
                Options:
                name=multi-threaded, value=true
                name=restore-login-identity, value=true
                
                
                15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: jboss.security.security_domain, value: hsm-proxy-client
                15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: multi-threaded, value: true
                15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: restore-login-identity, value: true
                15:31:40,580 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000350: Module option: password-stacking, value: null
                15:31:40,581 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000240: Begin login method
                15:31:40,588 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000351: Obtained auth info from handler, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154, credential class: null
                15:31:40,589 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000241: End login method, isValid: true
                15:31:40,589 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000242: Begin commit method, overall result: true
                15:31:40,607 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) sign
                15:31:40,607 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) no user principal
                15:31:40,608 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) digest algo: http://www.w3.org/2000/09/xmldsig#sha1
                15:31:40,608 DEBUG [be.fedict.hsm.ws.impl.DigitalSignatureServicePortImpl] (http-/127.0.0.1:8080-2) key alias: test
                15:31:40,614 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000200: Begin isValid, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154, cache entry: null
                15:31:40,614 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000209: defaultLogin, principal: c9a2a64a40c77ddd65b5d5c8751ace1cb2572154
                15:31:40,615 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000221: Begin getAppConfigurationEntry(other), size: 5
                15:31:40,615 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
                [0]
                LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
                ControlFlag: LoginModuleControlFlag: optional
                Options:
                name=password-stacking, value=useFirstPass
                [1]
                LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
                ControlFlag: LoginModuleControlFlag: required
                Options:
                name=password-stacking, value=useFirstPass
                
                
                15:31:40,616 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000236: Begin initialize method
                15:31:40,617 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000240: Begin login method
                15:31:40,619 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000236: Begin initialize method
                15:31:40,619 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000240: Begin login method
                15:31:40,626 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000283: Bad password for username c9a2a64a40c77ddd65b5d5c8751ace1cb2572154
                15:31:40,627 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000244: Begin abort method
                15:31:40,627 TRACE [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000244: Begin abort method
                15:31:40,627 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-2) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
                          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.15.Final.jar:4.0.15.Final]
                
                • 5. Re: security domain
                  jaikiran

                  What's the import statement for that @SecurityDomain? You should be using @org.jboss.ejb3.annotation.SecurityDomain.

                  • 6. Re: security domain
                    fcorneli

                    Did some more tests, seems like JBoss AS 7.1.x.Final simply doesn't honor @SecurityDomain and @RolesAllowed at all.

                    • 7. Re: security domain
                      fcorneli

                      Nevermind:

                      import org.jboss.ejb3.annotation.SecurityDomain;
                      

                      versus

                      import org.jboss.security.annotation.SecurityDomain;
                      

                       

                      Very funny guys...