1 Reply Latest reply on Aug 8, 2013 11:52 AM by carlh

    JBoss EAP 5.1 security delay and 403 HTTP errors

    carlh

      I am working on an app, ProjectA, using role-name based security constraints that is sometimes returning 403 errors for 3-4 seconds after authenticating with a FORM auth-method. After that time has passed if I refresh with F5 I no longer get 403 and am able to access the app.

       

      I have 2 WAR apps, ProjectA and ProjectB. ProjectB handles the FORM authentication and presents the user with a list of links after login based on their roles assigned in LDAP. ProjectA is one of those apps linked. Authentication is working fine in ProjectB, and I'm able to see the list of links. There was a failed authenticated() test but I think that's just because it's trying to redirect back to /ProjectB/ and re-authenticate when it's already been done.

       

      {quote}

      2013-07-25 14:05:07,068 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (ajp-0.0.0.0-8009-3) User: myUserName is authenticated

      2013-07-25 14:05:07,068 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.Internal_WebApp_Login] (ajp-0.0.0.0-8009-3) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@207502e8[Subject(684896584).principals=org.jboss.security.SimplePrincipal@1345438177(myUserName)org.jboss.security.SimpleGroup@656234049(Roles(members:role1,role2,role3)),credential.class=java.lang.String@1424389334,expirationTime=1374777252806]

      2013-07-25 14:05:07,068 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (ajp-0.0.0.0-8009-3) Mapped from input principal: myUserNameto: myUserName

      2013-07-25 14:05:07,068 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (ajp-0.0.0.0-8009-3) End authenticate, principal=GenericPrincipal[myUserName(role1,role2,role3,)]

      2013-07-25 14:05:07,068 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (ajp-0.0.0.0-8009-3) Authentication of 'myUserName' was successful

      2013-07-25 14:05:07,068 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (ajp-0.0.0.0-8009-3) Redirecting to original '/ProjectB/'

      2013-07-25 14:05:07,068 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp-0.0.0.0-8009-3)  Failed authenticate() test ??/ProjectB/j_security_check

      2013-07-25 14:05:07,068 TRACE [org.jboss.security.SecurityAssociation] (ajp-0.0.0.0-8009-3) clear, server=true

      {quote}

      Because I have role2 and role3, I am able to see a link for ProjectA. But when I click the link to access ProjectA in one of our environments, often but not always I will get 403 errors, and repeatedly refeshing with F5 until 3-4 seconds pass will let me in. In the attached logs I logged into ProjectB at 14:05:07, and clicked the link 3 times. It 403's at 14:05:08 and 14:05:10, and succeeds at 14:05:11.

       

      I can see the 403 errors in the httpd logs:

      {quote}

      [25/Jul/2013:14:05:08 -0400] "GET /ProjectA/ HTTP/1.1" 403 1124 "https://problemEnvironment:18000/ProjectB/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2; MS-RTC LM 8)"

      [25/Jul/2013:14:05:10 -0400] "GET /ProjectA/ HTTP/1.1" 403 1124 "https://problemEnvironment:18000/ProjectB/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2; MS-RTC LM 8)"

      {quote}

      I don't see anything in the JBoss logs during that time, which is the same behavior I see when trying to go straight to https://problemEnvironment:18000/ProjectA without going through /ProjectB login first. There's nothing between 14:05:07 and 14:05:11:

       

      {quote}

      2013-07-25 14:05:07,341 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (ajp-0.0.0.0-8009-3) End invoke, caller=GenericPrincipal[myUserName(role1,role2,role3,)]

      2013-07-25 14:05:07,341 TRACE [org.jboss.security.SecurityAssociation] (ajp-0.0.0.0-8009-3) clear, server=true

      2013-07-25 14:05:07,341 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8009-3) Setting threadlocal:null

      2013-07-25 14:05:07,341 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8009-3) Setting threadlocal:null

      2013-07-25 14:05:11,169 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8009-3) Setting threadlocal:{}

      2013-07-25 14:05:11,169 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (ajp-0.0.0.0-8009-3) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1484bc6c:principalToRoleSetMap{}

      2013-07-25 14:05:11,169 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (ajp-0.0.0.0-8009-3) Security checking request GET /ProjectA/

      {quote}

      The app is working fine without any 403 errors in 2 other environments, and some of the time in the problem environment. The security constraints and roles for the web.xml for the app:

       

      {code:xml}

      <security-constraint>

        <display-name>All</display-name>

                <web-resource-collection>

                   <web-resource-name>index</web-resource-name>

                   <url-pattern>/*</url-pattern>

                </web-resource-collection>

                <auth-constraint>

                   <description>PROJECT A SECURITY CONSTRAINT</description>

                   <role-name>role2</role-name>

                </auth-constraint>

                <user-data-constraint>

                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                </user-data-constraint>

      </security-constraint>

       

       

      <security-constraint>

                <display-name>All</display-name>

                <web-resource-collection>

                   <web-resource-name>index</web-resource-name>

                   <url-pattern>/*</url-pattern>

                </web-resource-collection>

                <auth-constraint>

                   <description>PROJECT A SECURITY CONSTRAINT</description>

                   <role-name>role3</role-name>

                </auth-constraint>

                <user-data-constraint>

                   <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                </user-data-constraint>

      </security-constraint>

       

       

      <!--Roles-->

      <security-role>

        <description>ProjectASystem</description>

        <role-name>role2</role-name>

      </security-role>

      <security-role>

        <description>ProjectASystem</description>

        <role-name>role3</role-name>

      </security-role>

      {code}

       

      and the jboss-web.xml:

      {code:xml}

      <!DOCTYPE jboss-web PUBLIC

         "-//JBoss//DTD Web Application 5.0//EN"

         "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> 

      <jboss-web>

         <security-domain>java:/jaas/Internal_WebApp_Login</security-domain>

      </jboss-web>

      {code}

       

       

      The projects are running in a cluster in the problem environment, but one of the other 2 environments is also clustered and doesn't get 403 errors. I've compared the openldap, httpd, and jboss config between the problem environment and the other clustered environment and wasn't able to find any noticable difference.

       

      added formatting to logs and xml to make it easier to read -Carl

        • 1. Re: JBoss EAP 5.1 security delay and 403 HTTP errors
          carlh

          I have access to another WAR app that is using role based auth in the same environment without 403 errors, which makes me think the problem is due to the app's web.xml security. Here's the web.xml of the other app that isn't having any issues:

           

           

          {code:xml}

          <security-constraint>

              <display-name>/*</display-name>

              <web-resource-collection>

                <web-resource-name>/*</web-resource-name>

                <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                <description>All authenticated users</description>

                <role-name>role1</role-name>

                <role-name>role4</role-name>

                <role-name>role5</role-name>

              </auth-constraint>

              <user-data-constraint>

                <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

            </security-constraint>

           

            <login-config>

              <auth-method>FORM</auth-method>

              <form-login-config>

                <form-login-page>/login.jsp</form-login-page>

                <form-error-page>/loginError.jsp</form-error-page>

              </form-login-config>

            </login-config>

            <security-role>

              <description>Web Central portal</description>

              <role-name>role1</role-name>

            </security-role>

           

          {code}

           

          Where roles 4 and 5 are specific to this app, and roles 2 and 3 are for ProjectA. role1 is the 'Authenticated' role. The biggest differences being the auth-constraints being separated into separate security-constraint blocks in ProjectA, the general role1 Authenticated role being accepted in the WAR app that isn't giving 403's, and another FORM authentication, similar to that in the ProjectB app.