12 Replies Latest reply on Nov 13, 2011 9:30 AM by jaikiran pai

    JBoss 7: Using encrypted datasource password

    Juergen Zimmermann Master

      In JBoss 6 I'm using an encrypted datasource password specified in a file *-jboss-beans.xml. Now I tried the following in standalone/configuration/standalone.xml of JBoss 7:

       

      a) Inside the datasource tag:

      <security>

         <security-domain>verschluesseltesDbPassword</security-domain>

      </security>

       

      b) Inside the security-domains tag:

      <security-domain name="verschluesseltesDbPassword" cache-type="default">

        <authentication>

          <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">

            <module-option name="username" value="swe2"/>

            <module-option name="password" value="..."/>

            <module-option name="managedConnectionFactoryName" value="jboss.jca:name=swe2DS,service=LocalTxCM"/>

          </login-module>

        </authentication>

      </security-domain>

       

      However, I get the following error message when launching the JBoss server. Any hint is appreciated!

      11:03:57,206 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()Unauthenticated caller:null: java.lang.SecurityException: Unauthenticated caller:null

          at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:83)

          at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:979)

          at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:959)

          at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_26]

          at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:958)

          at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:507)

          at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:246)

          at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:241)

          at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:105)

          at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1675)

          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_26]

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_26]

          at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]

        • 1. Re: JBoss 7: Using encrypted datasource password
          jaikiran pai Master

          This looks like a bug. Can you please file a JIRA for this here https://issues.jboss.org/browse/AS7

          • 3. Re: JBoss 7: Using encrypted datasource password
            Marcus Moyses Novice

            Hi Juergen,

            can you please enable trace level logging for org.jboss.security and paste it here?

            • 4. Re: JBoss 7: Using encrypted datasource password
              Juergen Zimmermann Master

              Here is the stacktrace (meanwhile we changed 2 names, namely swe2DS -> jboss/datasources/SweDS and username swe2 -> swe):

               

              19:38:46,093 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying JDBC-compliant driver class org.h2.Driver (version 1.2)
              19:38:46,103 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1)
              19:38:46,111 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 9.1)
              19:38:46,122 INFO  [org.jboss.as.clustering.infinispan.subsystem] (Controller Boot Thread) Activating Infinispan subsystem.
              19:38:46,261 INFO  [org.jboss.as.naming] (Controller Boot Thread) Activating Naming Subsystem
              19:38:46,283 INFO  [org.jboss.as.naming] (MSC service thread 1-3) Starting Naming Service
              19:38:46,301 INFO  [org.jboss.as.osgi] (Controller Boot Thread) Activating OSGi Subsystem
              19:38:46,323 INFO  [org.jboss.as.security] (Controller Boot Thread) Activating Security Subsystem
              19:38:46,343 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 3.2.0.Beta2
              19:38:46,421 INFO  [org.xnio] (MSC service thread 1-1) XNIO Version 3.0.0.Beta3
              19:38:46,442 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO Implementation Version 3.0.0.Beta3
              19:38:46,849 INFO  [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) An older version 1.1.20 of the Apache Tomcat Native library is installed, while Tomcat recommends version greater then 1.1.21
              19:38:46,857 INFO  [org.jboss.as.ee] (Controller Boot Thread) Activating EE subsystem
              19:38:47,071 INFO  [org.jboss.as.jmx.JMXConnectorService] (MSC service thread 1-2) Starting remote JMX connector
              19:38:47,103 INFO  [org.jboss.as.remoting] (MSC service thread 1-1) Listening on /127.0.0.1:9999
              19:38:47,444 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-2) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1734b48
              19:38:47,445 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1249e1a
              19:38:47,445 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-4) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1495bb8
              19:38:47,492 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-4) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@9ba045
              19:38:47,494 INFO  [org.jboss.as.connector] (MSC service thread 1-4) Starting JCA Subsystem (JBoss IronJacamar 1.0.0.CR2)
              19:38:47,538 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) Bound data source [java:jboss/datasources/ExampleDS]
              19:38:47,539 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) Bound data source [java:jboss/datasources/SwaDS]
              19:38:47,601 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) Begin isValid, principal:null, cache entry: null
              19:38:47,601 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) defaultLogin, principal=null
              19:38:47,603 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (MSC service thread 1-1) Begin getAppConfigurationEntry(verschluesseltesDbPassword), size=4
              19:38:47,718 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (MSC service thread 1-1) End getAppConfigurationEntry(verschluesseltesDbPassword), authInfo=AppConfigurationEntry[]:
              [0]
              LoginModule Class: org.jboss.resource.security.SecureIdentityLoginModule
              ControlFlag: Anmeldemodul-Steuerflag: required
              Options:
              name=managedConnectionFactoryName, value=jboss.jca:name=jboss/datasources/sweDS,service=LocalTxCM
              name=username, value=swe
              name=password, value=****

              19:38:47,729 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (MSC service thread 1-1) Login failure: javax.security.auth.login.LoginException: Die Anmeldemodulklasse kann nicht gefunden werden: org/jboss/resource/security/SecureIdentityLoginModule
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808) [:1.6.0_26]
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [:1.6.0_26]
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [:1.6.0_26]
              at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_26]
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [:1.6.0_26]
              at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [:1.6.0_26]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411)
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:345)
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:154)
              at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:82)
              at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:979)
              at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:959)
              at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_26]
              at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:958)
              at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:507)
              at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:246)
              at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:241)
              at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:105)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1765)
              at org.jboss.msc.service.ServiceControllerImpl$ClearTCCLTask.run(ServiceControllerImpl.java:2291)
              at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [:1.6.0_26]
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [:1.6.0_26]
              at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]

              • 5. Re: JBoss 7: Using encrypted datasource password
                Juergen Zimmermann Master

                The missing class org/jboss/resource/security/SecureIdentityLoginModule cannot be found inside the JBossAS 7 distribution (I'm currently using Jenkins build 1402) and at https://repository.jboss.org/nexus/index.html

                • 6. Re: JBoss 7: Using encrypted datasource password
                  Jesper Pedersen Master

                  Marcus, if you change the LoginModule locations we don't use org.jboss.resource anymore for JCA. It is org.jboss.jca now.

                   

                  But I think it would best to move them to a security specific package name - like say, org.picketbox.loginmodule.

                  • 7. Re: JBoss 7: Using encrypted datasource password
                    Juergen Zimmermann Master

                    SecureIdentityLoginModule is in %JBOSS_HOME%\modules\org\picketbox\main\picketbox-4.0.0.CR1.jar

                    • 8. Re: JBoss 7: Using encrypted datasource password
                      Marcus Moyses Novice

                      Yes, the class is there but there is a classloading issue preventing it to be found. I will fix it for future versions.

                      • 9. Re: JBoss 7: Using encrypted datasource password
                        Michael Echevarria Newbie

                        Just want to add that I too ran into this exact same issue as well.  If any of the nightly builds address this issue, I certainly would like to know.  Thanks.

                         

                        http://community.jboss.org/message/618489#618489

                        • 10. Re: JBoss 7: Using encrypted datasource password
                          Marcus Moyses Novice

                          I sent a pull request for https://issues.jboss.org/browse/AS7-1072 that should fix this. As soon as it's merged upstream you will be able to do a snapshot build.

                          • 11. Re: JBoss 7: Using encrypted datasource password
                            Red Militante Newbie

                            I'm trying to use encrypted data source passwords and I'm receiving the same

                             

                            Exception during createSubject()Unauthenticated caller:null: java.lang.SecurityException: Unauthenticated caller:null

                             

                            error that the original poster was receiving.

                             

                            I'm running JBoss AS 7.0.0 Final.  Should this issue be fixed in my version?  Is there any available version that I can use to fix this problem?  Thank you!

                            • 12. Re: JBoss 7: Using encrypted datasource password
                              jaikiran pai Master

                              Looking at the commit logs, it didn't make it to 7.0.0. Try this against 7.0.2 which has been released some time back.