9 Replies Latest reply on Dec 15, 2009 7:16 PM by Daniel Bevenius

    ClassCastException in CertificateLoginModule

    Hans Wolffenbuttel Expert

      While implementing JAAS security into my JBossESB i stumbled on a ClassCastException in the CertificateLoginModule. While debugging i found the code where the problem occurs:

       private X509Certificate getCallerCertificate(final ObjectCallback objectCallback) throws LoginException
       {
       final Set<?> credentials = (Set<?>) objectCallback.getCredential();
       if (credentials == null || credentials.isEmpty())
       {
       throw new LoginException("No X509Certificate was passed to the login module");
       }
      
       X509Certificate callerCert = null;
       for (Object object : credentials)
       {
       if (object instanceof X509Certificate)
       {
       callerCert = (X509Certificate) object;
       break;
       }
       }
      
       if (callerCert == null)
       {
       throw new LoginException("No X509Certificate was passed to the login module");
       }
      
       return callerCert;
       }
      


      The problem is that objectCallback.getCredential() contains an ObjectArray of X509Certificate and not a Set<?>. So this explains the ClassCastException.

      Is it a configuration problem or just a bug?

        • 1. Re: ClassCastException in CertificateLoginModule
          Daniel Bevenius Master

          Hi,

          Is it a configuration problem or just a bug?

          I'd say this might depend on how you are using the CertificateLoginModule. Are you using the login module as the moduleName for a ESB service like this:
          <security moduleName="CertLogin" rolesAllowed="worker" callbackHandler="org.jboss.soa.esb.services.security.auth.login.CertCallbackHandler">
           <property name="alias" value="certtest"/>
          </security>
          

          This is from the security_cert quickstart. In this case the JBossRemotingGatewayListener's message composer is responsible for extracting the certificate from the incoming request. An AuthenticationRequest is created using the certificate and this instance is attached to the ESB Message context so that it is available to the ESB to authenticate the call.
          The credentials are specified in org.jboss.soa.esb.services.security.auth.AuthenticationRequest:
          public interface AuthenticationRequest
          {
           public abstract Set<?> getCredentials();
           ...
          }

          I should not be possible that the getCredentials method does not return a Set<?> as far as I can tell.
          Could you show me your jboss-esb.xml configuration specially the security element on the esb service?

          Regards,

          /Daniel
          I

          • 2. Re: ClassCastException in CertificateLoginModule
            Hans Wolffenbuttel Expert

            Hi,

            I'm using another callbackHandler:

             <security
             callbackHandler="org.jboss.soa.esb.services.security.auth.loginUserPassCallbackHandler"
             moduleName="CertLogin" rolesAllowed="worker" runAs="worker" useCallerIdentity="false">
             <property name="alias" value="xxxxxx"/>
             </security>
            



            But with the suggested config:

            <security
             callbackHandler="org.jboss.soa.esb.services.security.auth.login.CertCallbackHandler"
             moduleName="CertLogin" rolesAllowed="worker" runAs="worker" useCallerIdentity="false">
             <property name="alias" value="xxxxxxxx"/>
             </security>
            



            I still get the following error (extracted via Debugging)

            javax.security.auth.login.LoginException: java.lang.ClassCastException: [Ljava.security.cert.X509Certificate;
             at org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule.getCallerCertificate(CertificateLoginModule.java:406)
             at org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule.login(CertificateLoginModule.java:145)
             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
             at java.lang.reflect.Method.invoke(Method.java:585)
             at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
             at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
             at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
             at java.security.AccessController.doPrivileged(Native Method)
             at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
             at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
             at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
             at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
             at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
             at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:330)
             at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:149)
             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
             at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
             at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
             at java.lang.Thread.run(Thread.java:595)
            


            The Object wich is called for the credentials is org.jboss.security.auth.callback.ObjectCallback. Do i have a different version or something? I'm using AS 4.2.3 and ESB 4.6 with JBoss Remoting 2.2.3 and JBoss Messaging 1.4.4 GA

            Regards,

            Hans


            • 3. Re: ClassCastException in CertificateLoginModule
              Hans Wolffenbuttel Expert

              hi,

              Here is the class definition of org.jboss.security.auth.callback.ObjectCallback. I implements the interface Callback, but that interface is empty.


               * JBoss, Home of Professional Open Source.
              package org.jboss.security.auth.callback;
              
              import javax.security.auth.callback.Callback;
              
              /** An implementation of Callback that simply obtains an Object to be used
              as the authentication credential. Interpretation of the Object is up to
              the LoginModules that validate the credential.
              
              @author Scott.Stark@jboss.org
              @version $Revision: 57203 $
              */
              public class ObjectCallback implements Callback
              {
               private transient String prompt;
               private transient Object credential;
              
               /** Initialize the SecurityAssociationCallback
               */
               public ObjectCallback(String prompt)
               {
               this.prompt = prompt;
               }
              
               public String getPrompt()
               {
               return prompt;
               }
               public Object getCredential()
               {
               return credential;
               }
               public void setCredential(Object credential)
               {
               this.credential = credential;
               }
               public void clearCredential()
               {
               this.credential = null;
               }
              }
              


              Regards,

              Hans


              • 4. Re: ClassCastException in CertificateLoginModule
                Daniel Bevenius Master

                The CertLoginModule is only intended to be used for ESB service security, that is when using the security element on a service in jboss-esb.xml.
                If I'm reading the stacktrace correctly you are using this for web container security via the http-provider.

                Could you modify one of the quickstart to reproduce your issue? I'd be happy to take a look and it would make it easier for me to understand what is going on.

                Thanks,

                /Daniel

                • 5. Re: ClassCastException in CertificateLoginModule
                  Hans Wolffenbuttel Expert

                  I need to fill the AuthenticationRequest and it's filled with the following code:

                   <http-bus busid="Http-GouwESB-Nulstand" context="/gouwesb/httpsgateway/Nulstand">
                   <property name="authMethod" value="CLIENT-CERT"/>
                   <property name="securityDomain" value="java:/jaas/CertLogin"/>
                   <property name="securityRole" value="worker"/>
                  </http-bus>
                  


                  And the security is supposed to pickup the certificate information in the service declaration:

                   <service category="HTTPService"
                   description="WS Frontend speaks natively to the ESB"
                   name="HTTPNulstandService">
                  
                   <security callbackHandler="org.jboss.soa.esb.services.security.auth.login.CertCallbackHandler"
                   moduleName="CertLogin" rolesAllowed="worker" runAs="worker" useCallerIdentity="false">
                   <property name="alias" value="xxxxxxx"/>
                   </security>
                  
                   <listeners>
                   <http-listener busidref="Http-GouwESB-Nulstand" is-gateway="true"
                   maxThreads="1" name="Http-Nullstand-Gateway"/>
                   <jms-listener busidref="NulstandEsbBus" is-gateway="false"
                   maxThreads="1" name="JMS-Nulstand-ESBListener"/>
                   </listeners>
                   ...
                  </service>
                  


                  I don't know if this information does help? Do i need to use another module like CertRolesLoginModule?

                  Regards,

                  Hans

                  • 6. Re: ClassCastException in CertificateLoginModule
                    Daniel Bevenius Master

                     

                    I need to fill the AuthenticationRequest and it's filled with the following code:

                    Actually only basic authentication information is currently extracted by the http-provider. I'll create a Jira for this and post back the link here.

                    Sorry about the confusion.

                    Regards,

                    /Daniel

                    • 7. Re: ClassCastException in CertificateLoginModule
                      Daniel Bevenius Master

                      I've created the following Jira for this issue so that it can be tracked:
                      http://jira.jboss.org/jira/browse/JBESB-2871

                      • 8. Re: ClassCastException in CertificateLoginModule
                        Hans Wolffenbuttel Expert

                        Hi Daniel,

                         

                        Any idea when this will be implemented? Can I do something to get this implemented sooner? The problem resides in the fact that SSL is becoming a requirement and the workaround using the JBossSX loginmodule is no longer valid. Futhermore is the use of exposing a JBossESB as a webservice not configurable for SSL, or did I miss a configuration documentation? The reason for this is that the exposed service doesn't use a configurated gateway, not even when there is one defined. ( I have had a HTTP-provider defined)

                         

                        Regards,

                         

                        Hans

                        • 9. Re: ClassCastException in CertificateLoginModule
                          Daniel Bevenius Master

                          Hi Hans,

                           

                          sorry, but I'm can't really give you an answer to when this will be implemented as it is not for me to decide. You can vote for this issue though and that will be taken into consideration when tasks get prioritized.

                           

                          Regards,

                           

                          /Daniel