-
1. Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
jaikiran Aug 27, 2013 11:24 PM (in response to rkite01)Please post the relevant code and the entire exception stacktrace.
P.S: While posting code, xml or log, remember to use the syntax highlighter formatting which is available in the advanced editor (click the "Use advanced editor" on top right corner of the reply window)
-
2. Re: Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
rkite01 Sep 6, 2013 1:18 AM (in response to jaikiran)standalone.xml additions
<datasource jndi-name="java:/jdbc/mpsIIDB" pool-name="jdbc/MPSIIDB" enabled="true"> <connection-url>jdbc:jtds:sqlserver://Belvtssdfuranus:1433/MPSII</connection-url> <driver>jtds</driver> <security> <security-domain>SqlServerDbRealm</security-domain> </security> </datasource>
<security-domains> <security-domain name="mps-client-login" cache-type="default"> <authentication> <login-module code="org.jboss.security.AltClientLoginModule" flag="required"/> </authentication> </security-domain>
<security-domain name="SqlServerDbRealm" cache-type="default"> <authentication> <login-module code="mps.security.authentication.MpsSecureCallerIdentityLoginModule" flag="required" module="mps.security"> <module-option name="userName" value="mps_web"/> <module-option name="password" value="-7034c4d611d93b8b515a0a1d12f9517b1be41cfcad87376470b14e07efd20935"/> <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=jdbc/MPSIIDB"/> <module-option name="OverwriteSessions" value="true"/> </login-module> </authentication> </security-domain> </security-domains>
Web Tier Client Code blows up with the following exception on session bean call
Properties externalServerProperties = userManager30.readMpsAppServersProperties();
19:43:46,479 ERROR [org.jboss.as.ejb3.invocation] (default task-3) JBAS014134: EJB Invocation failed on component UserManager30Bean for method public abstract java.util.Properties mil.tis.user.UserManager30.readTisAppServersProperties(): javax.ejb.EJBAccessException: JBAS013323: Invalid User at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:65) [wildfly-ejb3-8.0.0.Alpha4.jar:8.0.0.Alpha4] at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:45) [wildfly-ejb3-8.0.0.Alpha4.jar:8.0.0.Alpha4] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25] at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:88) [wildfly-ejb3-8.0.0.Alpha4.jar:8.0.0.Alpha4] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.0.0.Alpha4.jar:8.0.0.Alpha4] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Alpha4.jar:8.0.0.Alpha4] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.0.0.Alpha4.jar:8.0.0.Alpha4] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:55) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:325) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:428) at org.wildfly.security.manager.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:63) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:325) at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25] at org.jboss.invocation.PrivilegedInterceptor.processInvocation(PrivilegedInterceptor.java:75) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:248) [wildfly-ejb3-8.0.0.Alpha4.jar:8.0.0.Alpha4] at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-2.0.0.Beta3.jar:2.0.0.Beta3] at com.sun.proxy.$Proxy114.readTisAppServersProperties(Unknown Source) at mil.tis.session.CurrentUserTisNavigator.getFirstTierTabNavigationBeans(CurrentUserTisNavigator.java:89) at mil.tis.jsf.component.AbstractNavigatorPanelBackingBean.getFirstTierTabNavigationBeans(AbstractNavigatorPanelBackingBean.java:107) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_25] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_25] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25] at javax.el.BeanELResolver.getValue(BeanELResolver.java:363) [javax.el-3.0-b07.jar:3.0-b07] at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:176) at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:203) at com.sun.el.parser.AstValue.getValue(AstValue.java:140) [javax.el-3.0-b07.jar:3.0-b07] at com.sun.el.parser.AstValue.getValue(AstValue.java:204) [javax.el-3.0-b07.jar:3.0-b07] at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:226) [javax.el-3.0-b07.jar:3.0-b07] at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:109) at com.sun.faces.facelets.component.UIRepeat.getValue(UIRepeat.java:274) at com.sun.faces.facelets.component.UIRepeat.getDataModel(UIRepeat.java:250) at com.sun.faces.facelets.component.UIRepeat.setIndex(UIRepeat.java:444) at com.sun.faces.facelets.component.UIRepeat.doVisitChildren(UIRepeat.java:679) at com.sun.faces.facelets.component.UIRepeat.visitTree(UIRepeat.java:637) at javax.faces.component.UIComponent.visitTree(UIComponent.java:1740) at javax.faces.component.UIComponent.visitTree(UIComponent.java:1740) at javax.faces.component.UIComponent.visitTree(UIComponent.java:1740) at com.sun.faces.application.ValidateComponentNesting.processEvent(ValidateComponentNesting.java:53) at javax.faces.event.SystemEvent.processListener(SystemEvent.java:108) at javax.faces.event.ComponentSystemEvent.processListener(ComponentSystemEvent.java:118) at com.sun.faces.application.ApplicationImpl.processListeners(ApplicationImpl.java:2187) at com.sun.faces.application.ApplicationImpl.invokeListenersFor(ApplicationImpl.java:2163) at com.sun.faces.application.ApplicationImpl.publishEvent(ApplicationImpl.java:303) at org.jboss.as.jsf.injection.weld.ForwardingApplication.publishEvent(ForwardingApplication.java:294) at com.sun.faces.application.view.FaceletViewHandlingStrategy.buildView(FaceletViewHandlingStrategy.java:1002) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:99) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:219) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:647) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:87) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:136) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:136) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at mil.tis.authentication.AbstractAuthenticationFilter.doFilter(AbstractAuthenticationFilter.java:70) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:82) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) at ieRequest(ServletSecurityConstraintHandler.java:55) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) `at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:65) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:70) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) at org.wildfly.extension.undertow.security.SecurityContextCreationHandler.handleRequest(SecurityContextCreationHandler.java:54) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:207) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:194) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:72) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:128) at io.undertow.server.HttpHandlers.executeRootHandler(HttpHandlers.java:36) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:628) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_25] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_25] at java.lang.Thread.run(Thread.java:724) [rt.j
*** Web Tier Code ****
The following function call dies with the error at the line -->
Properties externalServerProperties = userManager30.readMpsAppServersProperties();
public List<AbstractNavigatorBean> getFirstTierTabNavigationBeans() throws Exception { try { if(insFirstTierTabNavigationBeans == null) { this.performClientJAASLogin(); UserManager30 userManager30 = (UserManager30) ApplicationContext.singleton().lookupSessionBean(UserManager30.class, "UserManager30Bean"); Properties externalServerProperties = userManager30.readMpsAppServersProperties(); CallExternalPassCheckWebService callExternalPassCheckWebService = new CallExternalPassCheckWebService(); String externalCredential = callExternalPassCheckWebService.retrieveMovementCoordinationServerCredential(externalServerProperties, insPassword); insFirstTierTabNavigationBeans = userManager30.retrieveFirstTierTabNavigationBeans(externalCredential, externalServerProperties); } } catch (Exception ex) { log.error(ex.getMessage()); throw(ex); } return(insFirstTierTabNavigationBeans); }
public static LoginContext performClientJAASLogin(String login, String password) throws LoginException { LoginContext loginContext = null; if (login != null) { MpsCallBackHandler mpsCallBackHandler = new MpsCallBackHandler(login, password); loginContext = new LoginContext(insMpsClientLogin, mpsCallBackHandler); loginContext.login(); } return(loginContext); }
public class MpsCallBackHandler implements CallbackHandler { private static final Logger log = Logger.getLogger(MpsCallBackHandler.class); private String userId; private char[] password; public MpsCallBackHandler(String argName, String argPassword) { userId = argName; password = argPassword.toCharArray(); } public void handle(Callback[] callbacks) throws java.io.IOException, UnsupportedCallbackException { log.debug("handle: in authentication callback handler"); NameCallback nameCallBack = (NameCallback)callbacks[0]; PasswordCallback passwordCallBack = (PasswordCallback)callbacks[1]; nameCallBack.setName(userId); passwordCallBack.setPassword(password); } }
*** Middle Tier Code ****
Session Bean
@Stateless(name = "UserManager30Bean") @TransactionAttribute(TransactionAttributeType.REQUIRED) @RolesAllowed("mpsUser") public class UserManager30Bean implements UserManager30 { @PersistenceContext(unitName = "mpsEjb30") protected EntityManager entityManager; private static Logger log = Logger.getLogger(UserManager30Bean.class); @Override public Properties readMpsAppServersProperties() { Properties result = null; MpsAppServersProperties mpsAppServersProperties = new MpsAppServersProperties(); result = mpsAppServersProperties.readMpsAppServersProperties(); return (result); } }
Custom call back handler which was made into a JBoss Module
package mps.security.authentication; import org.picketbox.datasource.security.CallerIdentityLoginModule; import javax.security.auth.login.LoginException; import java.util.Map; import java.security.Principal; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import java.security.acl.Group; import org.jboss.security.SimpleGroup; import org.jboss.security.SimplePrincipal; import org.apache.log4j.Logger; import java.util.HashMap; import mps.encrypt.JBossPasswordEncryptionAlgorithms; /** * A simple login module that simply associates the principal making the * connection request with the actual EIS connection requirements. * * The type of Principal class used is * <code>org.jboss.security.SimplePrincipal.</code> * <p> * * @see org.jboss.resource.security.ConfiguredIdentityLoginModule * * @author Modified and renamed by Rodney Kite for Mps * @version $Revision: 1.0 $ */ public class MpsSecureCallerIdentityLoginModule extends CallerIdentityLoginModule { private static final Logger log = Logger.getLogger(MpsSecureCallerIdentityLoginModule.class); /** * Default Constructor */ public MpsSecureCallerIdentityLoginModule() { } @Override public void initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options) { char[] decodedPassword = null; String password = (String)options.get("password"); Map newOptions = new HashMap(options); if(password != null) { try { decodedPassword = JBossPasswordEncryptionAlgorithms.decode(password); newOptions.put("password", new String(decodedPassword)); } catch(Exception e) { log.error("Failed to decode password", e); } } super.initialize(subject, handler, sharedState, newOptions); } protected Group[] getRoleSets() throws LoginException { Group[] groups = new Group[2]; SimpleGroup rolesGroup = new SimpleGroup("Roles"); rolesGroup.addMember(new SimplePrincipal("mpsUser")); groups[0] = rolesGroup; SimpleGroup principlesGroup = new SimpleGroup("CallerPrincipal"); Principal principal = getIdentity(); principlesGroup.addMember(new SimplePrincipal(principal.toString())); groups[1] = principlesGroup; log.debug("getRoleSets called"); return (groups); } }
Edited by Jaikiran Pai - (Tried to) fix formatting.
-
3. Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
jaikiran Aug 28, 2013 10:12 PM (in response to rkite01)I intentionally had made a note about formatting in my previous post:
P.S: While posting code, xml or log, remember to use the syntax highlighter formatting which is available in the advanced editor (click the "Use advanced editor" on top right corner of the reply window)
Please do that. It really becomes difficult to focus on the problem when someone just dumps large amount of unformatted code/xml/log in the post.
-
4. Re: Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
rkite01 Sep 3, 2013 10:30 AM (in response to jaikiran)I did the best I could do to format the code. The syntax highlighter does not work with xml.
-
5. Re: Re: Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
sfcoy Sep 5, 2013 2:09 AM (in response to rkite01)<drivers> <driver name="h2" module="com.h2database.h2"> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> </driver> <driver name="jtds" module="mps.jtds"> <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class> </driver> </drivers>
?
-
6. Re: Re: Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
rkite01 Sep 5, 2013 11:41 AM (in response to sfcoy)jtds is the JDBC driver we use for SqlServer. I put the jtds jar in a module called mps.jtds. This is the exact configuration we use with JBoss 7.1.1
-
7. Re: Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
jaikiran Sep 6, 2013 1:21 AM (in response to rkite01)Rodney Kite wrote:
I did the best I could do to format the code. The syntax highlighter does not work with xml.
Thank you. I edited that post of yours to fix the rest of the formatting and yes I experienced the problem you ran into with formatting that xml and some other parts. It looks like the annoying nature of this forum editor has stayed even in this upgraded version
I'll take a look at your application problem when I find some time later today and if someone else doesn't get to it first.
-
8. Re: Re: Invalid User when calling session bean methods using the CallerIdentityLoginModule.
rkite01 Oct 8, 2013 5:35 PM (in response to jaikiran)I upgraded to WildFly 8 Beta 1 and am still having the same problem. Is there a resource that shows an example of using JAAS security on session bean methods?
I can successfully call Session bean methods marked as unchecked if the session bean call does not have a Client JAAS Login call before the Session bean construction/lookup. If I call a session bean method which is unchecked after performing the client JAAS Login the invocation fails with Invalid User exception
Any session bean methods that have a role attached to them will raise Invalid User exception whether or not a client JAAS login is performed. This is the part I need to figure out. Is this a JBoss Wildfly bug or a change in the way it is configured?