0 Replies Latest reply on Jul 16, 2010 5:36 AM by Giorgio Grillini

    Is JBoss JASPI implementation working?

    Giorgio Grillini Newbie

      Hi to all,

      I'm trying without success to make my own JASPI compliant ServerAuthenticationModule.

      First of all I follow the guide on the Anil's Security Blog: http://anil-identity.blogspot.com/search/label/jsr-196.

      If I understand well a Junit test like this:

       

      HttpMethodBase req = HttpUtils.accessURL(url, realm, HttpURLConnection.HTTP_OK, HttpUtils.GET);

       

      with

       

      Should call the configured org.jboss.web.tomcat.security.jaspi.modules.HTTPBasicServerAuthModule and return an HTTP_OK response.

      Instead it throws the following exception:

      17:57:11,506 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during
      the request processing: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
              at java.util.ArrayList.RangeCheck(ArrayList.java:547)
              at java.util.ArrayList.get(ArrayList.java:322)
              at org.jboss.security.auth.message.config.JBossServerAuthContext.invokeModules(JBossServerAuthContext.java:168)
              at org.jboss.security.auth.message.config.JBossServerAuthContext.validateRequest(JBossServerAuthContext.java:142)
              at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:79)
              at org.jboss.web.tomcat.security.jaspi.TomcatJASPIAuthenticator.authenticate(TomcatJASPIAuthenticator.java:105)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559)
              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:872)
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
              at java.lang.Thread.run(Thread.java:619)

       

      This happens on both Jboss6 M2 and Jboss 5.1...

      Debugging Jboss6 M2 code I found the following:

      • The validateRequest method of authmodule is called explicitely by the configured authenticator (through a context call) while in the JSR-196 spec it is said: "At point (2) in the message processing model: The message processing runtime must call the validateRequest method of ServerAuthContext". Can the Authenticator be considered the message processing runtime??
        • The AuthModule called seems to be HttpServletServerAuthModule and not that configured into the jaspi-webbasic-jboss-beans.xml i. e. HTTPBasicServerAuthModule why?

       

      Is Jboss JSR-196 implementation working?

      How can it be configured properly? Is there any detailed documentation?

       

      By the way where can I find sources for jbosssx-client version 2.1.0.20091223? the jar at https://repository.jboss.org/nexus/content/repositories/releases/org/jboss/security/jbosssx-client/2.1.0.20091223/jbosssx-client-2.1.0.20091223-sources.jar is empty!

       

      Best regards,

      Giorgio Grillini

       

      P.S. I write this post on the Picketbox community since I've seen that Jboss security just become picketbox. If I'm off topic please excuse me.