4 Replies Latest reply on Nov 10, 2005 10:37 AM by Hannes Stillerich

    org.jbpm.identity.security.IdentityLoginModule & JAAS

    Hannes Stillerich Newbie

      I am currently occupied with the user & security management and want to customize the jbpm.identities. So, there ist already this LoginModule, but how to use it? Any parameters in the login-config.xml to set?

      <application-policy name = "jbpm-web-sec">
       <authentication>
       <login-module code="org.jbpm.identity.security.IdentityLoginModule"
       flag = "required">
       </login-module>
       </authentication>
       </application-policy>

      What about the web.xml?
      <security-constraint>
       <web-resource-collection>
       <web-resource-name>JBPM Security</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>JBossAdmin</role-name>
       </auth-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>JBoss JBPM</realm-name>
       </login-config>
       <security-role>
       <role-name>JBossAdmin</role-name>
       </security-role>

      I manually inserted the JBossAdmin to the jbpm_id_group table and connected it with cookie monster in jbpm_id_membership, but even though I cant authorize to the websale :(
      Can anybody help?

        • 1. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
          Gerhard Wittwer Newbie

          Hi Hannes

          I'm currently also occupied with the security of JBoss and jBPM (see my message: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=70644).

          If you will get the solution for the security settings and how to use them, please inform me (same will I do :)

          Thank you and hope somebody will help us with the security stuff.

          Regards
          Gerhard

          • 2. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
            Hannes Stillerich Newbie

             

            "gwittwer" wrote:
            Hi Hannes

            I'm currently also occupied with the security of JBoss and jBPM (see my message: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=70644).

            If you will get the solution for the security settings and how to use them, please inform me (same will I do :)

            Thank you and hope somebody will help us with the security stuff.

            Regards
            Gerhard


            Servus Gerhard :)

            First of all, this is my first webproject and so I am quite even unexperienced with basic j2ee stuff :(
            I am sorry that I hadnt seen your posting before - only searched for the LoginModul. Firstly I wanted to make up my own Object/Database Model, but there is already much done in identities.
            Currently, websale works with the (hbm-saved) identity.User-Object which is accessible via the PersistentContext/IdentitySession, right? I want to keep this, but the creation resp. putting in the context has to be done in the LoginModul (currently in the AuthenticationFilter) or am I wrong?



            • 3. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
              Hannes Stillerich Newbie

              I have just took a deeper look into the IdentityLoginModule (latest jbpm3.1alpha starterKit) and faced some troubles:
              org.jbpm.identity.security.IdentityLoginModule.java:

              public boolean login() throws LoginException {
               System.out.println("[IdentityLoginModule] login");
               // get userName and password
               NameCallback nameCallback = new NameCallback(null);
               System.out.println("[IdentityLoginModule] after NameCallback");
               PasswordCallback passwordCallback = new PasswordCallback(null,false);
               try {
              ...
              

              (I have only added the sysos)
              The first syso works, but then no trace is printed anymore. Seems that 'new NameCallback(null);' causes an exception - but no trace is shown. Tomorrow I am going to insert a catch block.
              Does anybody has ever succeeded in running the IdentityLoginModule??

              • 4. Re: org.jbpm.identity.security.IdentityLoginModule & JAAS
                Hannes Stillerich Newbie

                Actually, this thread wasn't supposed to be a monologue ;)
                Here is the promised trace:

                16:18:13,661 INFO [STDOUT] java.lang.IllegalArgumentException
                16:18:13,661 INFO [STDOUT] at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:50)
                16:18:13,661 INFO [STDOUT] at org.jbpm.identity.security.IdentityLoginModule.login(IdentityLoginModule.java:46)
                16:18:13,661 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                16:18:13,671 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                16:18:13,671 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                16:18:13,671 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                16:18:13,671 INFO [STDOUT] at java.security.AccessController.doPrivileged(Native Method)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                16:18:13,671 INFO [STDOUT] at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:572)
                16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:506)
                16:18:13,671 INFO [STDOUT] at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:315)
                16:18:13,671 INFO [STDOUT] at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
                16:18:13,671 INFO [STDOUT] at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
                16:18:13,671 INFO [STDOUT] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
                16:18:13,671 INFO [STDOUT] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
                16:18:13,671 INFO [STDOUT] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                16:18:13,681 INFO [STDOUT] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                16:18:13,681 INFO [STDOUT] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                16:18:13,681 INFO [STDOUT] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                16:18:13,681 INFO [STDOUT] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
                16:18:13,681 INFO [STDOUT] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
                16:18:13,681 INFO [STDOUT] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                16:18:13,681 INFO [STDOUT] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                16:18:13,681 INFO [STDOUT] at java.lang.Thread.run(Thread.java:595)


                what I have done?
                added new policy in the login-conf.xml:
                <application-policy name = "jbpm">
                 <authentication>
                 <login-module code = "org.jbpm.identity.security.IdentityLoginModule"
                 flag = "required">
                 </login-module>
                 </authentication>
                 </application-policy>

                added file to the unpacked jbpm-webapp: jboss-web.xml
                <jboss-web>
                 <security-domain>java:/jaas/jbpm</security-domain>
                </jboss-web>

                changed web.xml:
                <security-constraint>
                 <web-resource-collection>
                 <web-resource-name>jbpm</web-resource-name>
                 <url-pattern>/faces/*</url-pattern>
                 <http-method>POST</http-method>
                 <http-method>GET</http-method>
                 </web-resource-collection>
                 <auth-constraint>
                 <role-name>*</role-name>
                 </auth-constraint>
                 </security-constraint>
                <!--
                 <login-config>
                 <auth-method>FORM</auth-method>
                 <form-login-config>
                 <form-login-page>/faces/login.jsp</form-login-page>
                 <form-error-page>/faces/error.jsp</form-error-page>
                 </form-login-config>
                
                 </login-config>
                -->
                 <login-config>
                 <auth-method>BASIC</auth-method>
                 <realm-name>JBoss JBPM</realm-name>
                 </login-config>
                
                 <security-role>
                 <role-name>admin</role-name>
                 </security-role>

                I tested both authentication-methods: form-based and windowed (basic) - but every time the same error occurs.
                using jbpm-3.1alpha-starterkit & java 1.5.0_04-b05