1 Reply Latest reply on Aug 2, 2010 8:16 AM by Subramaniam Venkatachalam

    JAAS UsernamePasswordLoginModule throws NullPointerException.

    Subramaniam Venkatachalam Newbie

      Hello All,

       

      I am using Jboss Sx for JAAS Authentication, I have three LoginModule i.e. DatabaseServerLoginModule , ClientLoginModule and UsernamePasswordLoginModule configured in my jaas.

       

      I get authenticate when I in login into the application with the DatabaseServerLoginModule. After which when I do doesUserHaveRole on JaasSecurityManagerServiceMBean, and I supply the principal. I get a NullPointerException thrown from the UsernamePasswordLoginModule.

       

      I have enabled useFirstPass on DatabaseServerLoginModule and UsernameLoginModule, but not enabled the same on ClientLoginModule.

       

      After the NullPointer exception the abort method is invoked.

       

      I have extended the UsernameLoginModule  in UpdateUserInfoLoginModule and overriden "getUsersPassword" and "getRolesSet". These method return "null" in the extended class.

       

      I am using Jboss.5.1.0 server and the jbosssx-client.jar version is 2.0.3 SP1.

       

      Please find the stack trace attached. Any help will be appreciated.

       

       

      2010-07-29 19:42:36,335 TRACE [RMI TCP Connection(386)-172.21.176.180]-[org.jboss.security.plugins.auth.JaasSecurityManagerBase.main] Login failure
      javax.security.auth.login.LoginException: java.lang.NullPointerException
          at org.jboss.security.auth.spi.Util.createPasswordHash(Util.java:382)
          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:457)
          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:243)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
          at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
          at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
          at org.jboss.security.plugins.JaasSecurityManagerService.doesUserHaveRole(JaasSecurityManagerService.java:393)
          at sun.reflect.GeneratedMethodAccessor745.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
          at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
          at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
          at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
          at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:288)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
          at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
          at $Proxy348.doesUserHaveRole(Unknown Source)

       

       

      Please find my jaas:application properties.

       

       

      <jaas:application-policy name="main">
             <jaas:authentication>                   
            <jaas:login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"  flag="required">
              <jaas:module-option name="password-stacking">useFirstPass</jaas:module-option>
              <jaas:module-option name="hashAlgorithm">MD5</jaas:module-option>
              <jaas:module-option name="hashEncoding">base64</jaas:module-option>
              <jaas:module-option name="dsJndiName">java:/jdbc/testDB</jaas:module-option>
              <jaas:module-option name="principalsQuery">select password from User where binary name = ?</jaas:module-option>
              <jaas:module-option name="rolesQuery">select r.name, 'Roles' from Role,User u where u.name = ?</jaas:module-option>
            </jaas:login-module>
            <!--  Logging to a log file -->
            <jaas:login-module code="com.security.usermanagement.impl.LoggingLoginModule"
               flag="required">
               <jaas:module-option name="password-stacking">useFirstPass</jaas:module-option>
            </jaas:login-module>
            <!--  Keeps #failedLogins,lastFailedLoginDate and lastSuccessLoginDate up to date -->
            <jaas:login-module code="com.security.usermanagement.impl.UpdateUserInfoLoginModule"
               flag="required">
               <jaas:module-option name="password-stacking">useFirstPass</jaas:module-option>
               <jaas:module-option name="dsJndiName">java:/jdbc/testDB</jaas:module-option>
            </jaas:login-module>
            <!-- Associates the credentials to the current thread, we need this -->
            <jaas:login-module code="org.jboss.security.ClientLoginModule"
               flag="required">
               <!-- it will look for an existing password and not go for authentication -->
            </jaas:login-module>
             </jaas:authentication>
          </jaas:application-policy>

       

      Can you please give me some clue why this behaviour.

       

      Thanks & Warm Regards,

      Anand.

        • 1. Re: JAAS UsernamePasswordLoginModule throws NullPointerException.
          Subramaniam Venkatachalam Newbie

          Hello All,

           

          When I debugged the code with break points.

          The SecurityAssociation.getCredentials() is returning "null" credentials, and therefore the isValid on JAASSecurityManagerServiceMBean fails.

           

          securityManager.isValid("test",new SimplePrincipal(SecurityAssociation.getPrincipal()),SecurityAssociation.getCredentials());

           

          The "null" from the SecurityAssociation is only returned the second time. The first time the SecurityAssociation returns the correct credentials.

           

          And in the logging which is enabled the "NullPointerException" is present from UsernamePasswordLoginModule.

           

          Hope this gives a little more insight into the issue.

           

          It will be very helpful, if some of the JBoss JAAS experts to reply.

           

          Thanks & Warm Regards,

          Anand.