7 Replies Latest reply on Mar 13, 2010 2:35 AM by mhwish moona

    JAAS Implementation with JBOSS 4.0.2

    mhwish moona Newbie

      I have made a Simple Login Application, thats implemnent JAAS.
      My Applicaiton Authenticate the User Successullly, but not authorize.
      I am using MySQL (Database)
      Server: JBOSS 4.0
      I have made Two Tables:
      1: Login (with column username ,password)
      DATA----------->                                   ali                          123
      2:Userrole(with column username ,role, roleGroup)
      DATA----------->                                     ali                      user      Admin
      Authentication Successful:

      2:54:47,828 INFO  [STDOUT] Here Our Subject is =Subject:
      Principal: ali
      Principal: Admin(members:user)
      2:54:47,828 INFO  [STDOUT] Principal= ali,org.jboss.security.SimplePrincipal
      2:54:47,828 INFO  [STDOUT] Principal= Admin(members:user),org.jboss.security.SimleGroup
      2:54:47,828 INFO  [STDOUT] ....Authentication Succeeded.....
      But Problem is here:
      An Exception occurs:

      2:54:48,359 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=null, requiredRoles=[user], principalRoles=[ ]
      2:54:48,359 INFO  [STDOUT] Authorization failure

      2:54:48,359 ERROR [STDERR] javax.ejb.EJBAccessException: Authorization failure
      2:54:48,359 ERROR [STDERR]     at org.jboss.ejb3.security.RoleBasedAuthorizatio
      Interceptor.invoke(RoleBasedAuthorizationInterceptor.java:104)
      2:54:48,359 ERROR [STDERR]     at org.jboss.aop.joinpoint.MethodInvocation.invo eNext(MethodInvocation.java:101)

      Why I am getting this error while In Authentication lc.login() found the principal ali but when I am going to authorize "ali" then principal found =null.....

      In My LoginSessionBean I have made method "hello()" Such as:
      class LoginSessionBean implements SessionBean{
      @Resource SessionContext ctx;
      @RolesAllowed ({"user"} )
      public void hello() {
      System.out.println(".............With in hello() method..................");
      System.out.println(ctx.getCallerPrincipal().getName());
      System.out.println(".............Role are going to verify authorize users..................");
      if(ctx.isCallerInRole("user")) {
      System.out.println("hello Ali you r authorize to access:");
      }else if(ctx.isCallerInRole("supervisor")) {
      System.out.println("hello you r authorize to access");
      }else {
      System.out.println("UNAUTHORISED ");
      }
      }

      }

       

      and my ejb-jar.xml is as:

       

      <?xml version="1.0" encoding="windows-1252" ?>

       

      <ejb-jar>
          <enterprise-beans>
              <session>
                  <ejb-name>LoginSessionBean</ejb-name>
                  <ejb-ref>
                      <ejb-ref-name>loginsession.LoginSessionBean</ejb-ref-name>
                      <jndi-name>java:/LoginDS</jndi-name>
                      <ejb-ref-type>Stateless</ejb-ref-type>
                      <remote>loginsession.LoginSession</remote>
                      <ejb-class>loginsession.LoginSessionBean</ejb-class>
                      <transaction-type>Container</transaction-type>
                  </ejb-ref>
                  <security-role-ref>
                      <description>role-name checked within EJB</description>
                      <role-name>user</role-name>
                      <role-link>user</role-link>
                  </security-role-ref>
                  <security-identity>
               <run-as>
                 <role-name>user</role-name>
               </run-as>
             </security-identity>
              </session>
          </enterprise-beans>
          <assembly-descriptor>
          <security-role>
             <role-name>user</role-name>
           </security-role>
              <method-permission>
                  <role-name>user</role-name>
                  <method>
                      <ejb-name>loginsession.LoginSessionBean</ejb-name>
                      <method-name>hello</method-name>
                  </method>
              </method-permission>
          </assembly-descriptor>
      </ejb-jar>

        • 1. Re: JAAS Implementation with JBOSS 4.0.2
          Wolfgang Knauf Master

          Hi,

           

          what Login Module do you use? I assume you use "org.jboss.security.auth.spi.DatabaseServerLoginModule"? If yes: post the config snippet from "login-config.xml".

           

          Did you activate logging of the security layer (see http://www.jboss.org/community/wiki/SecurityFAQ , Question 4)?

           

          Best regards

           

          Wolfgang

          1 of 1 people found this helpful
          • 2. Re: JAAS Implementation with JBOSS 4.0.2
            mhwish moona Newbie

            A.o.a Sir,

             

            My login-config.xml is as:

             

            <application-policy name="hello">
            <authentication>

            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"  flag = "required">
            <module-option name = "unauthenticatedIdentity">anonymous</module-option>
            <module-option name = "dsJndiName">java:/LoginDS</module-option>

            <module-option name = "principalsQuery">SELECT password from login where username=?</module-option>
            <module-option name = "rolesQuery">SELECT role,roleGroup from userRole where username=?</module-option>

            </login-module>
            </authentication>
            </application-policy>

            In above module "hello" is my application policy name. This is also mention in my LoginSessionBean as:

             

            @SecurityDomain("hello")

            class LoginSessionBean implements SessionBean{

            }

             

            But what is the purpose to activate logging of the security layer?

            I really don't know.

            Thanks.

            • 3. Re: JAAS Implementation with JBOSS 4.0.2
              Wolfgang Knauf Master

              Hi,

               

              logging might reveal internal errors of the login module, e.g. because of sql errors or other configuration problems. It is too bad that the security layer does not perform error logging by default.

               

              There might be one issue with your login-config.xml: the second result column of the "rolesQuery" must have the constant value 'Roles'. Hope that the column 'roleGroup' has this value.

               

              Best regards

               

              Wolfgang

              1 of 1 people found this helpful
              • 4. Re: JAAS Implementation with JBOSS 4.0.2
                mhwish moona Newbie

                A.o.a,

                Sir,


                After activate logging of security layer as u mentioned, in "log4.xml" I got a warning as:

                 

                23:34:22,843 WARN  [SecurityCollection] Suspicious url pattern: "/admin/*"

                why this warning is occuring?

                 

                I have mention it in my web.xml. In my project I have made a directory "admin" in which two pages are placed and I want to give the access to that user who belongs to the "user" Role.

                 

                As I am using JSF so my web.xml is as:

                 

                <web-app>
                    <description>Empty web.xml file for Web Application</description>
                    <servlet>
                        <servlet-name>Faces Servlet</servlet-name>
                        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
                        <load-on-startup>1</load-on-startup>
                         <security-role-ref>
                                <description>role-name checked within EJB</description>
                                <role-name>abc</role-name>
                                <role-link>abc</role-link>
                        </security-role-ref>
                    </servlet>
                   
                    <servlet-mapping>
                        <servlet-name>Faces Servlet</servlet-name>
                        <url-pattern>*.faces</url-pattern>
                    </servlet-mapping>
                    <session-config>
                        <session-timeout>35</session-timeout>
                    </session-config>
                    <mime-mapping>
                        <extension>html</extension>
                        <mime-type>text/html</mime-type>
                    </mime-mapping>
                    <mime-mapping>
                        <extension>txt</extension>
                        <mime-type>text/plain</mime-type>
                    </mime-mapping>
                   
                    <security-constraint>
                        <web-resource-collection>
                                <web-resource-name>AdminPages</web-resource-name>
                                <url-pattern>/admin/*</url-pattern>
                                <http-method>POST</http-method>
                                <http-method>GET</http-method>
                        </web-resource-collection>
                        <auth-constraint>
                            <role-name>user</role-name>
                        </auth-constraint>
                        <user-data-constraint>
                        <transport-guarantee>NONE</transport-guarantee>
                        </user-data-constraint>
                    </security-constraint>
                    <login-config>
                    <auth-method>BASIC</auth-method>
                    <realm-name>hello</realm-name>
                     <form-login-config>
                            <form-login-page>/MainLogin.jsp</form-login-page>
                            <form-error-page>/resultforfail.jsp</form-error-page>
                        </form-login-config>
                  </login-config>
                    <security-role>
                        <role-name>user</role-name>
                    </security-role>
                </web-app>

                 

                and

                What do u mean by constant value of 'Role' column?

                 

                I have two Table in My Database(MySQL)

                 

                1- login  (username          password)

                Data--->              ali                          123

                2- userRole (username           role             roleGroup)

                Data---->                   ali                          user                   Admin

                • 5. Re: JAAS Implementation with JBOSS 4.0.2
                  Wolfgang Knauf Master

                  Hi,

                   

                  the second column of the result set returned by the "rolesQuery" must always be 'Roles' (I don't know why ;-) ):

                   

                  {code:sql}SELECT role,'Roles' from userRole where username=?{code}

                   

                  If this does not help: please post the snippets from your log file which show the output of the login module (e.g. sql statements and status output).

                   

                  I don't know what the URL pattern warning means, I'm sorry.

                   

                  Wolfgang

                  • 6. Re: JAAS Implementation with JBOSS 4.0.2
                    Alexander Lengson Newbie

                    Hello Wolfgang,

                    WolfgangKnauf wrote:


                    the second column of the result set returned by the "rolesQuery" must always be 'Roles' (I don't know why ;-) ):

                    IMHO, this is just due to implementation of the org.jboss.security.auth.spi.AbstractServerLoginModule and particularly method getRoleSets() which expects a Group named "Roles" to be created.

                    • 7. Re: JAAS Implementation with JBOSS 4.0.2
                      mhwish moona Newbie

                      A.o.a Sir,

                      after calling login() method of LoginContext following INFO is on Server:

                       

                       

                      [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(hello), size=2
                      TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(hello), authInfo=AppConfigurationEntry[]:
                      [0]

                      LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
                      ControlFlag: LoginModuleControlFlag: required
                      Options:name=principalsQuery, value=SELECT password from login where username=?
                      name=unauthenticatedIdentity, value=anonymous
                      name=dsJndiName, value=java:/LoginDS
                      name=rolesQuery, value=SELECT role ,roleGroup from userRole where username=?

                       

                      INFO  [STDOUT] .........Login Context in Service Facade is successfully called.........

                      INFO  [STDOUT] ....Now Login method of LoginContext in Service Facade is going to call.....
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize, instance=@29741280
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Saw unauthenticatedIdentity=anonymous
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/LoginDS

                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT password from login where username=?
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT role ,roleGroup from userRole where username=?
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendResume=true
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT password from login where username=?, with username: ali
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Obtained user password
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction

                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'ali' authenticated, loginOk=true
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] getRoleSets using rolesQuery: SELECT role ,roleGroup from userRole where username=?, username: ali

                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT role ,roleGroup from userRole where username=?, with username: ali
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role abc
                      TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction
                      INFO  [STDOUT] principal are going to add userPrincipal attribute..
                      INFO  [STDOUT] Here Our Subject is =Subject:
                           Principal: ali
                           Principal: admin(members:usesr)

                      INFO  [STDOUT] Principal= ali,org.jboss.security.SimplePrincipal
                      INFO  [STDOUT] Principal= admin(members:user),org.jboss.security.SimpleGroup
                      INFO  [STDOUT] ....Login method of LoginContext is Successfully called.....
                      INFO  [STDOUT] ....Authentication Succeeded.....

                      Problem is Here:

                       

                      I am facing another problem, with my project.

                      Why these Exception are occuring:

                       

                      When I call the hello() of LoginSessionBean:

                       

                      TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.plugins.JaasSecurityManager.java:] Begin isValid, principal:null, cache info: null
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.plugins.JaasSecurityManager.java:] defaultLogin, principal=null
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(java:), size=2
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(java:), no entry in appConfigs, tyring parentCont: null
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(java:), no entry in parentConfig, trying: other
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(java:), failed to find entry
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=2
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(other), no entry in appConfigs, tyring parentCont: null
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(other), no entry in parentConfig, trying: other
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), failed to find entry
                      2010-03-13 02:05:52,239 TRACE [org.jboss.security.plugins.JaasSecurityManager.java:] Login failure
                      javax.security.auth.login.LoginException: No LoginModules configured for java:
                           at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
                           at javax.security.auth.login.LoginContext.<init>(LoginContext.java:367)
                           at javax.security.auth.login.LoginContext.<init>(LoginContext.java:444)
                           at org.jboss.security.plugins.SubjectActions$LoginContextAction.run(SubjectActions.java:162)
                           at java.security.AccessController.doPrivileged(Native Method)
                           at org.jboss.security.plugins.SubjectActions.createLoginContext(SubjectActions.java:277)
                           at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:600)
                           at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)

                       

                      Sir here Why it  look for getAppConfigrationEntry(other), it should look for "hello"

                      as it look after calling login() method of LoginContext (as I highlited in 3rd line of my post..)

                      Message was edited by: mhwish moona

                       

                      Message was edited by: mhwish moona