Is JBoss JASPI implementation working?
giorgio.grillini Jul 16, 2010 5:36 AMHi to all,
I'm trying without success to make my own JASPI compliant ServerAuthenticationModule.
First of all I follow the guide on the Anil's Security Blog: http://anil-identity.blogspot.com/search/label/jsr-196.
If I understand well a Junit test like this:
HttpMethodBase req = HttpUtils.accessURL(url, realm, HttpURLConnection.HTTP_OK, HttpUtils.GET);
with
- url=http://anil:cricket@localhost:8080/jaspi-web-basic/
- realm=JASPI
Should call the configured org.jboss.web.tomcat.security.jaspi.modules.HTTPBasicServerAuthModule and return an HTTP_OK response.
Instead it throws the following exception:
17:57:11,506 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during
the request processing: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.RangeCheck(ArrayList.java:547)
at java.util.ArrayList.get(ArrayList.java:322)
at org.jboss.security.auth.message.config.JBossServerAuthContext.invokeModules(JBossServerAuthContext.java:168)
at org.jboss.security.auth.message.config.JBossServerAuthContext.validateRequest(JBossServerAuthContext.java:142)
at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:79)
at org.jboss.web.tomcat.security.jaspi.TomcatJASPIAuthenticator.authenticate(TomcatJASPIAuthenticator.java:105)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:872)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
at java.lang.Thread.run(Thread.java:619)
This happens on both Jboss6 M2 and Jboss 5.1...
Debugging Jboss6 M2 code I found the following:
- The validateRequest method of authmodule is called explicitely by the configured authenticator (through a context call) while in the JSR-196 spec it is said: "At point (2) in the message processing model: The message processing runtime must call the validateRequest method of ServerAuthContext". Can the Authenticator be considered the message processing runtime??
- The AuthModule called seems to be HttpServletServerAuthModule and not that configured into the jaspi-webbasic-jboss-beans.xml i. e. HTTPBasicServerAuthModule why?
Is Jboss JSR-196 implementation working?
How can it be configured properly? Is there any detailed documentation?
By the way where can I find sources for jbosssx-client version 2.1.0.20091223? the jar at https://repository.jboss.org/nexus/content/repositories/releases/org/jboss/security/jbosssx-client/2.1.0.20091223/jbosssx-client-2.1.0.20091223-sources.jar is empty!
Best regards,
Giorgio Grillini
P.S. I write this post on the Picketbox community since I've seen that Jboss security just become picketbox. If I'm off topic please excuse me.