1 Reply Latest reply on Mar 19, 2014 12:59 PM by danjee

Jboss 6.2 EAP login module called multiple times at random times for random users

danjee Mar 19, 2014 9:01 AM

Hello,

I have a problem with my custom login module. This problem appeared in 7.1.1 version but it's still present in 6.2 (7.3.0) version. This is not reproductive all the times.

Sometimes, without any determined reason the login method in my custom login module gets called for every ejb3 method the operators calls.

I will try to put pieces of log output, configuration and Java code.

Log output:

12:36:15,922 TRACE [org.jboss.security] (EJB default - 2) PBOX000204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@198d2dfc, credential class: class java.lang.String

12:36:15,922 TRACE [org.jboss.security] (EJB default - 2) PBOX000205: End validateCache, result = false

12:36:15,922 TRACE [org.jboss.security] (EJB default - 2) PBOX000209: defaultLogin, principal: operator1

12:36:15,923 TRACE [org.jboss.security] (EJB default - 2) PBOX000221: Begin getAppConfigurationEntry(CaponeJaas), size: 4

12:36:15,923 TRACE [org.jboss.security] (EJB default - 2) PBOX000224: End getAppConfigurationEntry(CaponeJaas), AuthInfo: AppConfigurationEntry[]:

[0]

LoginModule Class: com.asf.capone.server.jaas.CaponeLoginModule

ControlFlag: LoginModuleControlFlag: required

Options:

name=encryption, value=true

name=debug, value=true

name=password-stacking, value=useFirstPass

12:36:15,923 TRACE [org.jboss.security] (EJB default - 2) PBOX000236: Begin initialize method

12:36:15,923 WARN [org.jboss.security] (EJB default - 2) PBOX000234: Invalid or misspelled module option: encryption

12:36:15,924 WARN [org.jboss.security] (EJB default - 2) PBOX000234: Invalid or misspelled module option: debug

12:36:15,924 INFO [stdout] (EJB default - 2)           [CaponeLoginModule] debug: true

12:36:15,924 INFO [stdout] (EJB default - 2)           [CaponeLoginModule] encryption: true

12:36:15,924 TRACE [org.jboss.security] (EJB default - 2) PBOX000240: Begin login method

12:36:15,924 INFO [stdout] (EJB default - 2)           [CaponeLoginModule] use first pass: true

12:36:15,925 INFO [stdout] (EJB default - 2)           [CaponeLoginModule] private key file: /appsvr/jboss-caponeagency/bin/private.der

12:36:15,946 INFO [stdout] (EJB default - 2)           [CaponeLoginModule] login sql : select id, password, ldap_authentication from users_sv where lower(name) = lower('operator1') and deleted = 0

12:36:15,948 TRACE [org.jboss.security] (EJB default - 2) PBOX000241: End login method, isValid: true

12:36:15,948 TRACE [org.jboss.security] (EJB default - 2) PBOX000242: Begin commit method, overall result: true

12:36:15,948 TRACE [org.jboss.security] (EJB default - 2) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@6d38b25c, subject: Subject(625339913).principals=org.jboss.security.SimplePrincipal@323324366(operator1)org.jboss.security.SimpleGroup@978992452(Roles(members))org.jboss.security.SimpleGroup@978992452(CallerPrincipal(members:operator1))

12:36:15,948 TRACE [org.jboss.security] (EJB default - 2) PBOX000207: updateCache, input subject: Subject(625339913).principals=org.jboss.security.SimplePrincipal@323324366(operator1)org.jboss.security.SimpleGroup@978992452(Roles(members))org.jboss.security.SimpleGroup@978992452(CallerPrincipal(members:operator1)), cached subject: Subject(302949373).principals=org.jboss.security.SimplePrincipal@323324366(operator1)org.jboss.security.SimpleGroup@978992452(Roles(members))org.jboss.security.SimpleGroup@978992452(CallerPrincipal(members:operator1))

12:36:15,949 TRACE [org.jboss.security] (EJB default - 2) PBOX000208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@7f30404d

12:36:15,949 TRACE [org.jboss.security] (EJB default - 2) PBOX000201: End isValid, result = true

12:36:15,949 TRACE [org.jboss.security.audit] (EJB default - 2) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=operator1;

12:36:15,949 TRACE [org.jboss.security] (EJB default - 2) PBOX000354: Setting security roles ThreadLocal: {}

12:36:15,954 TRACE [org.jboss.security] (EJB default - 2) PBOX000354: Setting security roles ThreadLocal: null

The validate cache seems to return false and then the login module is recalled over and over again. As I said this happens randomly for random users, 90% of the time the login module works as expected.

Pieces of my standalone.xml:

<security-realm name="CaponeRealm">

                <authentication>

                    <jaas name="CaponeJaas"/>

                </authentication>

            </security-realm>

        <subsystem xmlns="urn:jboss:domain:remoting:1.1">

            <connector name="remoting-connector" socket-binding="remoting" security-realm="CaponeRealm"/>

        </subsystem>

<security-domains>

                <security-domain name="CaponeJaas" cache-type="default">

                    <authentication>

                        <login-module code="com.asf.capone.server.jaas.CaponeLoginModule" flag="required" module="deployment.capone.ear.capone-EJB.jar">

                            <module-option name="password-stacking" value="useFirstPass"/>

                            <module-option name="debug" value="true"/>

                            <module-option name="encryption" value="true"/>

                        </login-module>

                    </authentication>

                </security-domain>

...

</security-domains>

debug and encryption are two custom options of my module.

In the CaponeLoginModule I have these methods:

@Override

public void initialize(final Subject subject, final CallbackHandler callbackHandler, final Map sharedState,

final Map options) {

super.initialize(subject, callbackHandler, sharedState, options);

this.options = options;

encryption = "true".equalsIgnoreCase((String) options.get("encryption"));

printConfiguration(this);

}

This is taken from Darran Lofthouse's RemoteLoginModule

@Override

protected Group[] getRoleSets() {

Group roles = new SimpleGroup("Roles");

Group callerPrincipal = new SimpleGroup("CallerPrincipal");

Group[] groups = { roles, callerPrincipal };

callerPrincipal.addMember(getIdentity());

return groups;

}

This is my custom business logic (verify password upon a database value or ldap)

@Override

protected String getUsersPassword() throws LoginException {

String[] credentials = getUsernameAndPassword();

String username = credentials[0];

String password = credentials[1];

String cypherPassword = password;

boolean successLogin = false;

if (encryption() && password.length() > 30) {

try {

String privateKeyFilePath = "private.der";

File privateKeyFile = new File(privateKeyFilePath);

if (privateKeyFile.exists()) {

logger.trace("private key file: " + privateKeyFile.getAbsolutePath());

} else {

throw new LoginException("Private key file not found!");

}

PrivateKey privateKey = Decrypter.loadPrivateKey(privateKeyFilePath, Decrypter.ALGORITHM_RSA);

cypherPassword = Decrypter.decrypt(privateKey, password);

} catch (Exception e) {

throw new LoginException(e.getMessage());

}

}

Connection connection = null;

Statement statement = null;

ResultSet rs = null;

try {

connection = DataBaseUtils.getJndiConnection();

statement = connection.createStatement();

String ldapUrl = PropsUtils.getAdUrl();

String loginSql = "select id, password, ldap_authentication from users_sv " + "where lower(name) = lower('"

+ username + "') and deleted = 0";

logger.debug("login sql : " + loginSql);

rs = statement.executeQuery(loginSql);

if (rs.next()) {

Long id = rs.getLong(1);

String dbPassword = rs.getString(2);

Boolean ldapAuthentication = rs.getInt(3) == 1;

try {

if (ldapAuthentication) {

successLogin = loginThroughLdap(username, cypherPassword, ldapUrl);

} else {

successLogin = loginThroughDb(username, DigestUtils.md5Hex(cypherPassword), dbPassword);

}

} catch (Exception e) {

doAudit(AuditUtils.LOGIN_OPERATION, id, username, false, !ldapAuthentication, e.getMessage());

e.printStackTrace();

}

} else {

throw new FailedLoginException("Unknown Capone User");

}

} catch (Exception e) {

logger.debug("For some reason authentication failed! {}", e);

} finally {

try {

if (connection != null) {

connection.close();

}

} catch (Exception e) {

e.printStackTrace();

}

try {

if (statement != null) {

statement.close();

}

} catch (Exception e) {

e.printStackTrace();

}

try {

if (rs != null) {

rs.close();

}

} catch (Exception e) {

e.printStackTrace();

}

}

// Workaround to make it work with Jboss usernamepassword login module.

// Will return the password that user entered because authentication was

// already established

if (successLogin) {

return password;

} else {

return "NO_WAY_A_VALID_PASSWORD=" + UUID.randomUUID().toString();

}

}

Some posts I've read read about overriding SimplePrincipals equals method. I believe this is not my case considering I do not make a new instance of the SimplePrincipal when authenticating.

Can someone point me the exact fix for this ?

Thank you ,

Daniel Jipa

1. Re: Jboss 6.2 EAP login module called multiple times at random times for random users

danjee Mar 19, 2014 12:59 PM (in response to danjee)

I found the reason for this. This happens when the same operator (same username) enters the application. My question is why this happens if I was using SimplePrincipal class that has an equals method based upon username.
Actions