4 Replies Latest reply on Mar 17, 2010 7:39 AM by Stefan Henz

    problem with LdapLoginModule

    Stefan Henz Newbie

      Hi,

       

      I've the following problem with the LdapLoginModule (same for the LdapExtLoginModule, which I've tried too):

      even I've configured the LdapLoginModule in the login-config.xml, when typing the username and the password in the loginPanel, i.e. when entering the URL

       

      http://loccalhost:8080/myWebApp/web

      or

      https://localhost:8443/myWebApp/web

       

      where WebApp is a EJB project packed in the an ear file "WebApp.ear"

       

      (a HTTPs connector is enabled and a redirect from HTTP port 8080 to the secure port HTTPs in the server.xml is enabled) on my computer,

       

      I get always the follwing error message

       

      :38:42,107 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
              at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
              at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
              at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
              at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              at java.lang.reflect.Method.invoke(Method.java:597)
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)

       

       

      ...

       

      I don' t understand why for a user.properties file is searched after.

       

      The according snippet code of the login-config.xml looks like:

       

      <policy>

      ...

        <application-policy name="myWebApp">
             <authentication>

             <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                  <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                  <module-option name="java.naming.provider.url">ldap://ldap.local/</module-option>
                  <module-option name="java.naming.security.protocol">ssl</module-option>
                  <module-option name="java.naming.security.authentication">simple</module-option>

                 <!-- the username is gvine in "uid" not in "cn", i.e.

                       on commad line you type "ldapsearch -x uid=username in order to get the user information -->

                  <module-option name="principalDNPrefix">uid=</module-option>

                 <!-- principalDNSuffix has to be empty because it looks like

                      ou=<deparment>, ou=users, dc=domainPart1, dc=domainPart2 -->
                  <module-option name="principalDNSuffix"></module-option>

                  <module-option name="uidAttributeID">member</module-option>

                 <!-- all roles could be empty because in our LDAP server no roles are defined -->

                 <module-option name="rolesCtxDN"></module-option>
                 <module-option name="uidAttributeID">member</module-option>
                 <module-option name="roleAttributeID">uid</module-option>
                 <module-option name="roleAttributeIsDN">false</module-option>

                  <module-option name="searchTimeLimit">5000</module-option>
                 <module-option name="searchScope">SUBTREE_SCOPE</module-option>
                 <module-option name="allowEmptyPasswords">false</module-option>
                  <module-option name="debug">true</module-option>

                 </login-module>
             </authentication>

        </application-policy>

      </policy>

       

       

       

      The content of the  jboss.xml is:

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss>
         <security-domain>myWebApp</security-domain>
      </jboss>

       

      The jboss-web.xml has the content:

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-web PUBLIC
          "-//JBoss//DTD Web Application 5.0//EN"
          "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
      <jboss-web>
         <security-domain>java:/jaas/myWebApp</security-domain>
         <context-root>/myWebApp</context-root>
      </jboss-web>

       

       

      And the web.xml is:

      <?xml version="1.0" encoding="UTF-8"?>

      <web-app version="2.5"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
         <display-name>JAAS</display-name>

         <security-constraint>
            <display-name>myWebApp</display-name>
              <web-resource-collection>
                  <web-resource-name>instituteKurz</web-resource-name>
                  <url-pattern>/*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
               </web-resource-collection>
               <auth-constraint>
                  <role-name>*</role-name>
               </auth-constraint>
               <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
               </user-data-constraint>
         </security-constraint>
      <login-config>
         <auth-method>BASIC</auth-method>
         <realm-name>myWebApp</realm-name>
      </login-config>

       

      Can somebody of you help me maybe?

       

      Thx,

      Jim

        • 1. Re: problem with LdapLoginModule
          jaikiran pai Master

          Looking at the stacktrace, it seems to be picking up some other login module (i guess the "other") than the one you instructed it to. Enable TRACE level logging of JBoss security as explained in Q4 here http://community.jboss.org/wiki/SecurityFAQ and see what's going on.

          • 2. Re: problem with LdapLoginModule
            Stefan Henz Newbie

            Hi Jaikiran,

             

            I  followed the given URL http://community.jboss.org/wiki/SecurityFAQ I looked for a file conf/log4j.xml. But at jboss-5.1.0.CA such file does not exist, but conf/jboss-config.xml. Therefore I made the according changes for enabling TRACE level in the file conf/jboss-log4j.xml of the according server instance.

            But I don't know where, i.e in which file, the TRACE DEBUG information is written. It does not appear on the terminal console. Where does the tracing appears?

             

            But, because I suppose there might be a problem a nother login module, in the file "conf/login-config.xml I commented out all application-policies besides the one of the LdapLoginModule being related to the security-domain "myWebApp" of my application.

            Now the error message

            :38:42,107 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role  files
            java.io.IOException: No properties file: users.properties or  defaults: defaultUsers.properties found
            at  org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)

            ...

            does no longer occurs, but nevertheless one cannot login with the according ldap-username and ldap-password account.

             

            I'm not sure, if the Ldap modules "LoginLdapModule" and "LoginExtLdapModule" are able to get the  right DN name, if the "principalDNSuffix" is empty following the (unfortunately only in German) given instructions on

            "http://www.imixs.com/websites/imixs-com.nsf/chapter/0020.0100.0030.?OpenDocument" when using Domino. We don't use "Domino", but OpenLadp.

            I'm not sure, if for OpenLdap it is allowed too, to led the "principalDNSuffix" empty, i.e.

            <module-option  name="principalDNSufffix"></module-option>

             

            I did this, because we have an Ldap hierachy like

             

            uid=uid, ou=department, ou=users, dc=domainPart1,dc=domainPart2

            where uid has the unique user account.

             

            Therefore I can't use a common "prinicipalDNSuffix", because it differs from user to user in dependence on the department the user belongs to.

             

            And therefore also the prinicpalDNPrefix is

            <module-option  name="principalDNPrefix">uid=</module-option>

            instead of

            <module-option  name="principalDNPrefix">cn=</module-option>

             

            But up to now the login via ldap is not working.

             

             

            Does somebody has an idea and can me help to solve this problem?

             

            Thx

            • 3. Re: problem with LdapLoginModule
              jaikiran pai Master

              I'll move this to our Security forum and see if someone there has more info on the LDAP configs.

              • 4. Re: problem with LdapLoginModule
                Stefan Henz Newbie

                Hi,

                 

                I've just realized with the help of TRACE/DEBUG that instead of taking the application policy as defined in the login-config.xml, namely

                 

                <application-policy name="myWebApp">
                      <authentication>

                          <login-module code="org.jboss.security.auth.spi.LdapLoginModule">

                           ...

                       </login-module>

                  </application-policy-name>

                 

                 

                when trying to login on my EJB Webapplication, always the default  configuration by any security domain that does not have an

                application-policy entry with a matching name as defined by default in the login-config.xml of JBoss 5.1.0.GA is used. And because this default  should not be used of course no properties file for this is defined. Uncommenting or deleting the default configuration from the login-config.xml does not solve the problem, because my application-policy for my security domain "myWebApp" is ignored.

                 

                I don't understand why this happpens. I've believed the security domain "myWebApp" for the context-root "myWebApp" is correct, but most probably not. I'll give the content of the according deployment descriptors below for completness. Maybe somebody sees and knows what might cause the problem:

                 


                My web.xml looks like:

                 

                And the web.xml is:

                <?xml version="1.0"  encoding="UTF-8"?>

                <web-app version="2.5"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns="http://java.sun.com/xml/ns/javaee"
                    xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
                    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
                    <display-name>JAAS</display-name>

                    <security-constraint>
                       <display-name>myWebApp</display-name>
                         <web-resource-collection>
                             <web-resource-name>instituteKurz</web-resource-name>
                             <url-pattern>/*</url-pattern>
                             <http-method>GET</http-method>
                             <http-method>POST</http-method>
                          </web-resource-collection>
                         <auth-constraint>
                             <role-name>*</role-name>
                          </auth-constraint>
                         <user-data-constraint>
                            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                          </user-data-constraint>
                   </security-constraint>
                <login-config>
                    <auth-method>BASIC</auth-method>
                    <realm-name>myWebApp</realm-name>
                </login-config>

                 

                 

                and in the jboss-web.xml, I've defined the security domain, namely:

                 

                The jboss-web.xml has the content:

                <?xml version="1.0"  encoding="UTF-8"?>
                <!DOCTYPE jboss-web PUBLIC
                     "-//JBoss//DTD Web Application 5.0//EN"
                    "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
                <jboss-web>
                    <security-domain>java:/jaas/myWebApp</security-domain>
                    <context-root>/myWebApp</context-root>
                </jboss-web>

                 

                and this is security domain is also specified in the the jboss.xml:

                The content of the  jboss.xml is:

                <?xml version="1.0"  encoding="UTF-8"?>
                <jboss>
                    <security-domain>myWebApp</security-domain>
                </jboss>

                 

                Additional I'm using also the application.xml deployment descriptor which has the following content:

                <?xml version="1.0" encoding="UTF-8"?>
                <!DOCTYPE application
                   PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN"
                   "http://java.sun.com/dtd/application_1_3.dtd">
                <application>
                   <display-name>myWebApp</display-name>
                   <module>
                      <ejb>myWebApp.jar</ejb>
                   </module>
                   <module>
                      <web>
                         <web-uri>myWebApp.war</web-uri>
                         <context-root>myWebApp</context-root>
                      </web>
                   </module>
                </application>