1 Reply Latest reply on May 5, 2011 2:14 PM by Michael Huang

    Migrating JBoss AS 4.2.1 to 5.1.0 - DynamicLoginConfig

    Michael Huang Newbie

      When migrating from AS 4.2.1 to AS 5.1.0, I got the following error:

       

      ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files

      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found

       

      I searched the web, and set jboss security component log level to trace, and the log seems to tell the server cannot find the any entry in appConfigs, therefore it always defalt to "other" security domain, then tries to access the users/passwords/roles files of "other" that do not exists.

       

      TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(java:jaas), size=15

      16:09:03,900 TRACE [XMLLoginConfigImpl] getAppConfigurationEntry(java:jaas), no entry in appConfigs, tyring parentCont: null

      16:09:03,900 TRACE [XMLLoginConfigImpl] getAppConfigurationEntry(java:jaas), no entry in parentConfig, trying: other

      16:09:03,900 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(java:jaas), authInfo=AppConfigurationEntry[]:

      [0]

       

      Further looking at the log, it appears the server DynamicLoginConfig service has successfully loaded my login domain aces.

       

      16:09:03,541 DEBUG [DynamicLoginConfig] Loaded config: aces

      16:09:03,541 DEBUG [DynamicLoginConfig] Started jboss:service=DynamicLoginConfig

       

      I further checked the JNDI binding via jmx-console, it appears aces is successfully binded there under jaas under Java namespace (The getAppConfigurationEntry() seems trying at java:jaas, and there is a java:jaas parallel to "aces", not sure this could cause problem):

       

        +- jaas (class: javax.naming.Context)

        |   +- aces (class: org.jboss.security.plugins.SecurityDomainContext)

        |   +- messaging (class: org.jboss.security.plugins.SecurityDomainContext)

        |   +- java:jaas (class: org.jboss.security.plugins.SecurityDomainContext)

        |   +- EncryptOracleXAAdminDataSourcePassword (class:

       

      Also, below are my jboss-service.xml file and the dynamic-login-config.xml it pointing to:

      <?xml version="1.0" encoding="UTF-8"?>

      <server>

      <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"

        name="jboss:service=DynamicLoginConfig">

        <attribute name="AuthConfig">

         META-INF/dynamic-login-config.xml

        </attribute>

      <depends optional-attribute-name="LoginConfigService">

        jboss.security:service=XMLLoginConfig

      </depends>

      <depends optional-attribute-name="SecurityManagerService">

        jboss.security:service=JaasSecurityManager

      </depends>

      </mbean>

      </server>

       

      <?xml version="1.0" encoding="UTF-8"?>

      <policy>

      <application-policy xmlns="urn:jboss:security-beans:1.0" name="aces">

      <authentication>

                    <login-module code="com.ngc.aces.security.providers.authentication.AcesUserDbLoginModuleImpl"

                                  flag="sufficient">

                        <module-option name="unauthenticatedIdentity">AnonymousUser</module-option>

                        <module-option name="principalClass">com.ngc.aces.security.providers.authentication.AcesUser</module-option>

                        <module-option name="dsJndiName">acesDS</module-option>

                        <module-option name="providerUrl">localhost:1099</module-option>

                    </login-module>

                    <login-module code="com.ngc.aces.security.providers.authentication.SystemUserDbLoginModuleImpl"

                                  flag="sufficient">

                         <module-option name="unauthenticatedIdentity">AnonymousUser</module-option>

                         <module-option name="principalClass">com.ngc.aces.security.providers.authentication.AcesUser</module-option>

                         <module-option name="dsJndiName">acesDS</module-option>

                         <module-option name="providerUrl">localhost:1099</module-option>

                    </login-module>

                 </authentication>

           </application-policy>

      </policy>

       

      Can anyone help explain why getAppConfigurationEntry() cannot get my security domain "aces', and always defaults to "other"?

       

      Thank you for any comments and suggestions!

       

      Michael Huang

        • 1. Migrating JBoss AS 4.2.1 to 5.1.0 - DynamicLoginConfig
          Michael Huang Newbie

          After reading blogs after blogs on the web, and some trial and error, this issue was resolved. There is nothing wrong with the DynamicLoginConfig per se. The solution is simple:

           

          Change the security domain configuration string from:

          <jboss-app>

             <security-domain>java:jaas/aces</security-domain>

           

          To:

          <jboss-app>

             <security-domain>aces</security-domain>

           

          I don’t know why folks at JBoss made this change. But it is documented well, it definitely helps a lot.

           

          Michael