0 Replies Latest reply on Feb 19, 2014 11:28 AM by max_kuffs

DatabaseLoginModule - User has no Roles

max_kuffs Feb 19, 2014 11:28 AM

Hello,

I am migrating from jboss 7 to wildfly and when i am calling a rest service which is protected by @RolesAllowed("ADMIN") i get the following error:

13:46:44,359 ERROR [org.jboss.as.ejb3.invocation] (default task-1) JBAS014134: EJB Invocation failed on component TestFacade for method public java.lang.String net.dice.facade.TestFacade.generateTestdata(): javax.ejb.EJBAccessException: JBAS013323: Invalid User

at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)

at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)

at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)

at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)

at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)

at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)

at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)

at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)

at net.dice.facade.TestFacade$$$view3.generateTestdata(Unknown Source) [classes:]

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]

at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]

at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.6.Final.jar:]

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.6.Final.jar:]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at net.dice.filter.DiceFilter.doFilter(DiceFilter.java:48) [classes:]

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]

at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

My Rest Service (if i split the rest service and the EJB i still get this error):

@Stateless

@Path("testdata")

@RolesAllowed({ "ADMIN" })

public class TestFacade extends GenericService {

web.xml:

<security-constraint>

<web-resource-collection>

<web-resource-name>REST services</web-resource-name>

<url-pattern>/rest/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>ADMIN</role-name>

<role-name>USER</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>dice</realm-name>

</login-config>

<security-role>

<role-name>ADMIN</role-name>

</security-role>

<security-role>

<role-name>USER</role-name>

</security-role>

My standalone.xml:

<security-domain name="dice">

<login-module code="Database" flag="required">

<module-option name="dsJndiName" value="java:/jdbc/dice"/>

<module-option name="principalsQuery" value="select passwordHash from player where lower(playertag)= lower(?)"/>

<module-option name="rolesQuery" value="select role, 'Roles' from playerrole pr join player p on (pr.player_id = p.id) where lower(p.playertag)= lower(?)"/>

<module-option name="unauthenticatedIdentity" value="guest"/>

<module-option name="hashAlgorithm" value="SHA-256"/>

<module-option name="hashEncoding" value="base64"/>

</login-module>

</authentication>

</security-domain>

The query for the roles returns: ADMIN, Roles (like mentioned in the spec)

The strange thing is when i remove the @RolesAllowed and check the Roles of the User with isCallerInRole(String) he has the admin role.

System.out.println(ctx.isCallerInRole("ADMIN")); // true

System.out.println(ctx.isCallerInRole("USER")); // false (is ok. he is just admin)

System.out.println(ctx.isCallerInRole("USERdsd")); // false (nonexisting role)

This really makes me wonder if i have found a bug or done something wrong. This config worked under jboss 7 without any problem.

best regards,

UPDATE:

The trace shows some detailes information. It seems that it finds the ADMIN role to the user max_kuffs, but later it fails.

Any hints?

2014-02-19 13:23:48,158 TRACE [org.jboss.security] (default task-1) PBOX000236: Begin initialize method

2014-02-19 13:23:48,158 TRACE [org.jboss.security] (default task-1) PBOX000237: Saw unauthenticated indentity: guest

2014-02-19 13:23:48,158 DEBUG [org.jboss.security] (default task-1) PBOX000281: Password hashing activated, algorithm: SHA-256, encoding: base64, charset: null, callback: null, storeCallBack: null

2014-02-19 13:23:48,158 TRACE [org.jboss.security] (default task-1) PBOX000262: Module options [dsJndiName: java:/jdbc/dice, principalsQuery: select passwordHash from player where lower(playertag)= lower(?), rolesQuery: select role, 'Roles' from playerrole pr join player p on (pr.player_id = p.id) where lower(p.playertag)= lower(?), suspendResume: true]

2014-02-19 13:23:48,159 TRACE [org.jboss.security] (default task-1) PBOX000240: Begin login method

2014-02-19 13:23:48,191 TRACE [org.jboss.security] (default task-1) PBOX000263: Executing query select passwordHash from player where lower(playertag)= lower(?) with username max_kuffs

2014-02-19 13:23:48,194 TRACE [org.jboss.security] (default task-1) PBOX000241: End login method, isValid: true

2014-02-19 13:23:48,194 TRACE [org.jboss.security] (default task-1) PBOX000242: Begin commit method, overall result: true

2014-02-19 13:23:48,194 TRACE [org.jboss.security] (default task-1) PBOX000263: Executing query select role, 'Roles' from playerrole pr join player p on (pr.player_id = p.id) where lower(p.playertag)= lower(?) with username max_kuffs

2014-02-19 13:23:48,195 TRACE [org.jboss.security] (default task-1) PBOX000263: Executing query select role, 'Roles' from playerrole pr join player p on (pr.player_id = p.id) where lower(p.playertag)= lower(?) with username max_kuffs

2014-02-19 13:23:48,200 TRACE [org.jboss.security] (default task-1) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@403fd998, subject: Subject(1586895425).principals=org.jboss.security.SimplePrincipal@386064182(max_kuffs)org.jboss.security.SimpleGroup@837346126(Roles(members:ADMIN))org.jboss.security.SimpleGroup@837346126(CallerPrincipal(members:max_kuffs))

2014-02-19 13:23:48,200 TRACE [org.jboss.security] (default task-1) PBOX000201: End isValid, result = true

2014-02-19 13:23:48,250 TRACE [org.jboss.security] (default task-1) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@f197fb6e, cache entry: null

2014-02-19 13:23:48,250 TRACE [org.jboss.security] (default task-1) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@f197fb6e

2014-02-19 13:23:48,250 TRACE [org.jboss.security] (default task-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 5

2014-02-19 13:23:48,251 TRACE [org.jboss.security] (default task-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:

[0]

LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule

ControlFlag: LoginModuleControlFlag: optional

Options:

name=password-stacking, value=useFirstPass

[1]

LoginModule Class: org.jboss.as.security.RealmDirectLoginModule

ControlFlag: LoginModuleControlFlag: required

Options:

name=password-stacking, value=useFirstPass

2014-02-19 13:23:48,251 TRACE [org.jboss.security] (default task-1) PBOX000236: Begin initialize method

2014-02-19 13:23:48,251 TRACE [org.jboss.security] (default task-1) PBOX000240: Begin login method

2014-02-19 13:23:48,252 TRACE [org.jboss.security] (default task-1) PBOX000236: Begin initialize method

2014-02-19 13:23:48,253 TRACE [org.jboss.security] (default task-1) PBOX000240: Begin login method

2014-02-19 13:23:48,261 DEBUG [org.jboss.security] (default task-1) PBOX000283: Bad password for username max_kuffs

2014-02-19 13:23:48,261 TRACE [org.jboss.security] (default task-1) PBOX000244: Begin abort method

2014-02-19 13:23:48,262 TRACE [org.jboss.security] (default task-1) PBOX000244: Begin abort method

2014-02-19 13:23:48,262 DEBUG [org.jboss.security] (default task-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required

at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final]

at org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:148) [wildfly-security-8.0.0.Final.jar:8.0.0.Final]

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]

at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_51]

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_51]

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_51]

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_51]

at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_51]

at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_51]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:402) [wildfly-security-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:364) [wildfly-security-8.0.0.Final.jar:8.0.0.Final]

at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:52) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]