JBoss EAP 5.1 security delay and 403 HTTP errors
carlh Aug 8, 2013 9:56 AMI am working on an app, ProjectA, using role-name based security constraints that is sometimes returning 403 errors for 3-4 seconds after authenticating with a FORM auth-method. After that time has passed if I refresh with F5 I no longer get 403 and am able to access the app.
I have 2 WAR apps, ProjectA and ProjectB. ProjectB handles the FORM authentication and presents the user with a list of links after login based on their roles assigned in LDAP. ProjectA is one of those apps linked. Authentication is working fine in ProjectB, and I'm able to see the list of links. There was a failed authenticated() test but I think that's just because it's trying to redirect back to /ProjectB/ and re-authenticate when it's already been done.
{quote}
2013-07-25 14:05:07,068 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (ajp-0.0.0.0-8009-3) User: myUserName is authenticated
2013-07-25 14:05:07,068 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.Internal_WebApp_Login] (ajp-0.0.0.0-8009-3) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@207502e8[Subject(684896584).principals=org.jboss.security.SimplePrincipal@1345438177(myUserName)org.jboss.security.SimpleGroup@656234049(Roles(members:role1,role2,role3)),credential.class=java.lang.String@1424389334,expirationTime=1374777252806]
2013-07-25 14:05:07,068 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (ajp-0.0.0.0-8009-3) Mapped from input principal: myUserNameto: myUserName
2013-07-25 14:05:07,068 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (ajp-0.0.0.0-8009-3) End authenticate, principal=GenericPrincipal[myUserName(role1,role2,role3,)]
2013-07-25 14:05:07,068 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (ajp-0.0.0.0-8009-3) Authentication of 'myUserName' was successful
2013-07-25 14:05:07,068 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (ajp-0.0.0.0-8009-3) Redirecting to original '/ProjectB/'
2013-07-25 14:05:07,068 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp-0.0.0.0-8009-3) Failed authenticate() test ??/ProjectB/j_security_check
2013-07-25 14:05:07,068 TRACE [org.jboss.security.SecurityAssociation] (ajp-0.0.0.0-8009-3) clear, server=true
{quote}
Because I have role2 and role3, I am able to see a link for ProjectA. But when I click the link to access ProjectA in one of our environments, often but not always I will get 403 errors, and repeatedly refeshing with F5 until 3-4 seconds pass will let me in. In the attached logs I logged into ProjectB at 14:05:07, and clicked the link 3 times. It 403's at 14:05:08 and 14:05:10, and succeeds at 14:05:11.
I can see the 403 errors in the httpd logs:
{quote}
[25/Jul/2013:14:05:08 -0400] "GET /ProjectA/ HTTP/1.1" 403 1124 "https://problemEnvironment:18000/ProjectB/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2; MS-RTC LM 8)"
[25/Jul/2013:14:05:10 -0400] "GET /ProjectA/ HTTP/1.1" 403 1124 "https://problemEnvironment:18000/ProjectB/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2; MS-RTC LM 8)"
{quote}
I don't see anything in the JBoss logs during that time, which is the same behavior I see when trying to go straight to https://problemEnvironment:18000/ProjectA without going through /ProjectB login first. There's nothing between 14:05:07 and 14:05:11:
{quote}
2013-07-25 14:05:07,341 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (ajp-0.0.0.0-8009-3) End invoke, caller=GenericPrincipal[myUserName(role1,role2,role3,)]
2013-07-25 14:05:07,341 TRACE [org.jboss.security.SecurityAssociation] (ajp-0.0.0.0-8009-3) clear, server=true
2013-07-25 14:05:07,341 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8009-3) Setting threadlocal:null
2013-07-25 14:05:07,341 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8009-3) Setting threadlocal:null
2013-07-25 14:05:11,169 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8009-3) Setting threadlocal:{}
2013-07-25 14:05:11,169 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (ajp-0.0.0.0-8009-3) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1484bc6c:principalToRoleSetMap{}
2013-07-25 14:05:11,169 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp-0.0.0.0-8009-3) Security checking request GET /ProjectA/
{quote}
The app is working fine without any 403 errors in 2 other environments, and some of the time in the problem environment. The security constraints and roles for the web.xml for the app:
{code:xml}
<security-constraint>
<display-name>All</display-name>
<web-resource-collection>
<web-resource-name>index</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>PROJECT A SECURITY CONSTRAINT</description>
<role-name>role2</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>All</display-name>
<web-resource-collection>
<web-resource-name>index</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>PROJECT A SECURITY CONSTRAINT</description>
<role-name>role3</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!--Roles-->
<security-role>
<description>ProjectASystem</description>
<role-name>role2</role-name>
</security-role>
<security-role>
<description>ProjectASystem</description>
<role-name>role3</role-name>
</security-role>
{code}
and the jboss-web.xml:
{code:xml}
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/Internal_WebApp_Login</security-domain>
</jboss-web>
{code}
The projects are running in a cluster in the problem environment, but one of the other 2 environments is also clustered and doesn't get 403 errors. I've compared the openldap, httpd, and jboss config between the problem environment and the other clustered environment and wasn't able to find any noticable difference.
added formatting to logs and xml to make it easier to read -Carl