11 Replies Latest reply on Jul 24, 2011 3:54 AM by Rich Midwinter

    Authentication issue in AS7

    Rich Midwinter Newbie

      From the trace output it seems as though the DatabaseServerLoginModule is successfully authenticating, but I'm redirected back to the login page and it then indicate that authentication fails.

       

      I suspect that it might be caused by the ClassNotFoundException. Any ideas?

       

      Thanks in advance.

       

      11:05:23,550 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) resumeAnyTransaction

      11:05:23,550 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) User 'rich' authenticated, loginOk=true

      11:05:23,550 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) commit, loginOk=true

      11:05:23,550 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) getRoleSets using rolesQuery: SELECT role, 'Roles' FROM role WHERE username=?, username: rich

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.tm.TransactionManagerLocator from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Class org.jboss.tm.TransactionManagerLocator not found from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.modules.ModuleClassLoader from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Class org.jboss.modules.ModuleClassLoader not found from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.modules.ModuleClassLoader from Module "org.jboss.logmanager:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Class org.jboss.modules.ModuleClassLoader not found from Module "org.jboss.logmanager:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.modules.ConcurrentClassLoader from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Class org.jboss.modules.ConcurrentClassLoader not found from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.modules.ConcurrentClassLoader from Module "org.jboss.logmanager:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,551 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Class org.jboss.modules.ConcurrentClassLoader not found from Module "org.jboss.logmanager:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.security.auth.spi.DbUtil from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding local class org.jboss.security.auth.spi.DbUtil from Module "org.picketbox:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Found previously loaded class org.jboss.security.auth.spi.DbUtil from Module "org.picketbox:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.security.auth.spi.Util from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding local class org.jboss.security.auth.spi.Util from Module "org.picketbox:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Found previously loaded class org.jboss.security.auth.spi.Util from Module "org.picketbox:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding class org.jboss.security.auth.spi.AbstractServerLoginModule from Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Finding local class org.jboss.security.auth.spi.AbstractServerLoginModule from Module "org.picketbox:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,552 TRACE [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Found previously loaded class org.jboss.security.auth.spi.AbstractServerLoginModule from Module "org.picketbox:main" from local module loader @17386918 (roots: /Users/rich/Documents/jboss-as/build/target/jboss-7.0.0.Beta4-SNAPSHOT/modules)

      11:05:23,551 TRACE [org.jboss.security.plugins.TransactionManagerLocator] (http-localhost-127.0.0.1-8080-1) Exception in getJBossTM:: java.lang.ClassNotFoundException: org.jboss.tm.TransactionManagerLocator from [Module "deployment.fizio.ear.jsf-web.war:main" from Service Module Loader]

                at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:191)

                at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:358)

                at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:307)

                at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:101)

                at org.jboss.security.plugins.TransactionManagerLocator.getJBossTM(TransactionManagerLocator.java:86) [picketbox-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.security.plugins.TransactionManagerLocator.getTM(TransactionManagerLocator.java:70) [picketbox-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.security.auth.spi.DbUtil.getRoleSets(DbUtil.java:75) [picketbox-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.security.auth.spi.Util.getRoleSets(Util.java:157) [picketbox-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.security.auth.spi.DatabaseServerLoginModule.getRoleSets(DatabaseServerLoginModule.java:264) [picketbox-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.security.auth.spi.AbstractServerLoginModule.commit(AbstractServerLoginModule.java:228) [picketbox-4.0.0.CR1.jar:4.0.0.CR1]

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_22]

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_22]

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_22]

                at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_22]

                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [:1.6.0_22]

                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [:1.6.0_22]

                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [:1.6.0_22]

                at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_22]

                at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [:1.6.0_22]

                at javax.security.auth.login.LoginContext.login(LoginContext.java:580) [:1.6.0_22]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411) [picketbox-infinispan-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:154) [picketbox-infinispan-4.0.0.CR1.jar:4.0.0.CR1]

                at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:127) [jboss-as-web-7.0.0.Beta4-SNAPSHOT.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:372) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.0.Beta4-SNAPSHOT.jar:7.0.0.Beta4-SNAPSHOT]

                at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:49) [jboss-as-jpa-7.0.0.Beta4-SNAPSHOT.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:667) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [jbossweb-7.0.0.CR4.jar:7.0.0.Beta4-SNAPSHOT]

                at java.lang.Thread.run(Thread.java:680) [:1.6.0_22]

       

      11:05:23,554 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) suspendAnyTransaction

      11:05:23,554 TRACE [org.jboss.jca.core.connectionmanager.TxConnectionManager] (http-localhost-127.0.0.1-8080-1) Subject: null

      11:05:23,554 TRACE [org.jboss.jca.core.connectionmanager.TxConnectionManager] (http-localhost-127.0.0.1-8080-1) getManagedConnection interleaving=false , tx=null

      11:05:23,555 TRACE [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost-127.0.0.1-8080-1) supplying ManagedConnection from pool: org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@2f057e4f[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7 connection handles=0 lastUse=1308996323550 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@41556f4c pool internal context=org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool@f0330ff xaResource=org.jboss.jca.core.tx.jbossts.LocalXAResourceImpl@1a85bd0c txSync=null]

      11:05:23,555 TRACE [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost-127.0.0.1-8080-1) Got connection from pool: org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@2f057e4f[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7 connection handles=0 lastUse=1308996323550 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@41556f4c pool internal context=org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool@f0330ff xaResource=org.jboss.jca.core.tx.jbossts.LocalXAResourceImpl@1a85bd0c txSync=null]

      11:05:23,555 TRACE [org.jboss.jca.core.connectionmanager.listener.TxConnectionListener] (http-localhost-127.0.0.1-8080-1) No transaction, no need to enlist: org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@2f057e4f[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7 connection handles=0 lastUse=1308996323550 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@41556f4c pool internal context=org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool@f0330ff xaResource=org.jboss.jca.core.tx.jbossts.LocalXAResourceImpl@1a85bd0c txSync=null]

      11:05:23,555 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) Excuting query: SELECT role, 'Roles' FROM role WHERE username=?, with username: rich

      11:05:23,556 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) Assign user to role admin

      11:05:23,556 TRACE [org.jboss.jca.core.connectionmanager.listener.TxConnectionListener] (http-localhost-127.0.0.1-8080-1) connectionClosed called mc=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7

      11:05:23,556 TRACE [org.jboss.jca.core.connectionmanager.listener.TxConnectionListener] (http-localhost-127.0.0.1-8080-1) unregisterConnection: 0 handles left

      11:05:23,557 TRACE [org.jboss.jca.core.connectionmanager.listener.TxConnectionListener] (http-localhost-127.0.0.1-8080-1) delisting org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@2f057e4f[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7 connection handles=0 lastUse=1308996323550 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@41556f4c pool internal context=org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool@f0330ff xaResource=org.jboss.jca.core.tx.jbossts.LocalXAResourceImpl@1a85bd0c txSync=null]

      11:05:23,557 TRACE [org.jboss.jca.core.connectionmanager.listener.TxConnectionListener] (http-localhost-127.0.0.1-8080-1) isManagedConnectionFree=true mc=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7

      11:05:23,557 TRACE [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost-127.0.0.1-8080-1) putting ManagedConnection back into pool kill=false cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@2f057e4f[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7 connection handles=0 lastUse=1308996323550 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@41556f4c pool internal context=org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool@f0330ff xaResource=org.jboss.jca.core.tx.jbossts.LocalXAResourceImpl@1a85bd0c txSync=null]

      11:05:23,557 TRACE [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost-127.0.0.1-8080-1) Returning connection to pool org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@2f057e4f[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@11a78ca7 connection handles=0 lastUse=1308996323557 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@41556f4c pool internal context=org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool@f0330ff xaResource=org.jboss.jca.core.tx.jbossts.LocalXAResourceImpl@1a85bd0c txSync=null]

      11:05:23,557 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-1) resumeAnyTransaction

      11:05:23,557 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost-127.0.0.1-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@9cb9124, subject=Subject(329635714).principals=org.jboss.security.SimplePrincipal@398892923(rich)org.jboss.security.SimpleGroup@1896894574(CallerPrincipal(members:rich))org.jboss.security.SimpleGroup@1896894574(Roles(members:admin))

      11:05:23,557 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost-127.0.0.1-8080-1) updateCache, inputSubject=Subject(329635714).principals=org.jboss.security.SimplePrincipal@398892923(rich)org.jboss.security.SimpleGroup@1896894574(CallerPrincipal(members:rich))org.jboss.security.SimpleGroup@1896894574(Roles(members:admin)), cacheSubject=Subject(1827119585).principals=org.jboss.security.SimplePrincipal@398892923(rich)org.jboss.security.SimpleGroup@1896894574(CallerPrincipal(members:rich))org.jboss.security.SimpleGroup@1896894574(Roles(members:admin))

      11:05:23,558 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost-127.0.0.1-8080-1) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@5b34f2a2

      11:05:23,558 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost-127.0.0.1-8080-1) End isValid, true

      11:05:23,560 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) User: rich is authenticated

      11:05:23,560 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-localhost-127.0.0.1-8080-1) Authentication of 'rich' was successful

      11:05:23,560 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-localhost-127.0.0.1-8080-1) Redirecting to original '/jsf-web/'

      11:05:23,560 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost-127.0.0.1-8080-1)  Failed authenticate() test ??/jsf-web/j_security_check

        • 1. Re: Authentication issue in AS7
          Anil Saldanha Master

          Rich,  we need to take a look at this.  The DB login module can utilize a transaction manager from the app server. We need to evaluate the proper TM semantics for AS7. Let me get back to you.

          • 3. Re: Authentication issue in AS7
            jaikiran pai Master

            Looking at the code, the exception is logged at TRACE level and the correct transaction manager seems to be used. What does your web.xml security configurations look like and what URL are you accessing?

            • 4. Re: Authentication issue in AS7
              Rich Midwinter Newbie

              It happens when submitting my login form at http://localhost:8080/jsf-web/

               

              relevant web.xml sections contain:

               

                <security-constraint>
                <web-resource-collection>
                <web-resource-name>fizio</web-resource-name>
                <url-pattern>/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
                </web-resource-collection>
                <auth-constraint>
                <role-name>*</role-name>
                </auth-constraint>
              
              <!--                    <user-data-constraint>-->
              <!--                              <transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
              <!--                    </user-data-constraint>-->
                </security-constraint>
              
                <security-constraint>
                <web-resource-collection>
                <web-resource-name>Unprotected area</web-resource-name>
                <url-pattern>/resources/*</url-pattern>
                </web-resource-collection>
                </security-constraint>
              
                <login-config>
                <auth-method>FORM</auth-method>
                <realm-name>fizio</realm-name>
                <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/login.jsp</form-error-page>
                </form-login-config>
                </login-config>
              

               

              And while I'm at it, jboss-web.xml:

               

              <?xml version="1.0" encoding="UTF-8"?>
              <jboss-web>
                <security-domain>java:/jaas/fizio</security-domain>
                <context-root>/jsf-web</context-root>
              </jboss-web>
              

               

              And the security domain from standalone/configuration/standalone.xml:

               

              <security-domain name="fizio" cache-type="default">
                  <authentication>
                      <login-module code="Database" flag="required">
                          <module-option name="dsJndiName" value="FizioDS"/>
                          <module-option name="principalsQuery" value="SELECT password FROM physio WHERE username=?"/>
                          <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM role WHERE username=?"/>
                       </login-module>
                  </authentication>
              </security-domain>
              

               

              Thanks.

              • 5. Re: Authentication issue in AS7
                kiavash shidani Newbie

                I have almost same configuration and in my case after entering correct username and password I get "The connection was reset" in Firefox after some seconds and "HTTP Status 408 - The time allowed for the login process has been exceeded." in IE 9 but the Google Chrome works fine and I could login!!!

                Is it something about cookies?

                • 6. Re: Authentication issue in AS7
                  jaikiran pai Master

                  kiavash shidani wrote:

                   

                  I have almost same configuration and in my case after entering correct username and password I get "The connection was reset" in Firefox after some seconds and "HTTP Status 408 - The time allowed for the login process has been exceeded." in IE 9 but the Google Chrome works fine and I could login!!!

                  Is it something about cookies?

                  Known bug http://community.jboss.org/thread/169582?tstart=0

                  • 8. Re: Authentication issue in AS7
                    Anil Saldanha Master

                    I checked with Marcus who handled the AS7 security integration and he said the DBLM is not the issue here.  Jaikiran, any other ideas looking at his setup?

                    • 10. Re: Authentication issue in AS7
                      jaikiran pai Master

                      Turns out this is case of the allowed role-name that you have configured in your security-constraint of web.xml:

                       

                       

                      Rich Midwinter wrote:

                       

                       

                        
                        <auth-constraint>
                        <role-name>*</role-name>
                        </auth-constraint>
                      

                      The role-name "*" is handled differently. Currently AS7 is configured for "strict" servlet spec compliance unlike previous version(s) of AS which were configured to "authOnly":

                       

                      <Engine name="jboss.web" defaultHost="localhost">
                      
                               <!-- The JAAS based authentication and authorization realm implementation
                               that is compatible with the jboss 3.2.x realm implementation.
                               - certificatePrincipal : the class name of the
                               org.jboss.security.auth.certs.CertificatePrincipal impl
                               used for mapping X509[] cert chains to a Princpal.
                               - allRolesMode : how to handle an auth-constraint with a role-name=*,
                               one of strict, authOnly, strictAuthOnly
                                 + strict = Use the strict servlet spec interpretation which requires
                                 that the user have one of the web-app/security-role/role-name
                                 + authOnly = Allow any authenticated user
                                 + strictAuthOnly = Allow any authenticated user only if there are no
                                 web-app/security-roles
                               -->
                               <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
                                  certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
                                  allRolesMode="authOnly"
                                  />
                      

                       

                       

                      In a strict servlet compliance mode, if you are using role-name = * in the security-constraint, you should also have the security-role (s) declared within the web-app. So effectively * == all roles in the security-role element of the web-app. So if the authenticated user has those set of rules, then he/she's allowed access. So to get this working, just add the set of security-roles applicable in your application. Here's an example:

                      <security-constraint>
                        <web-resource-collection>
                        <web-resource-name>fizio</web-resource-name>
                        <url-pattern>/*</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        </web-resource-collection>
                        <auth-constraint>
                        <role-name>*</role-name>
                        </auth-constraint>
                      
                      <!--                    <user-data-constraint>-->
                      <!--                              <transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
                      <!--                    </user-data-constraint>-->
                        </security-constraint>
                      
                        <security-constraint>
                        <web-resource-collection>
                        <web-resource-name>Unprotected area</web-resource-name>
                        <url-pattern>/resources/*</url-pattern>
                        </web-resource-collection>
                        </security-constraint>
                      
                        <login-config>
                        <auth-method>FORM</auth-method>
                        <realm-name>fizio</realm-name>
                        <form-login-config>
                        <form-login-page>/login.jsp</form-login-page>
                        <form-error-page>/login.jsp</form-error-page>
                        </form-login-config>
                        </login-config>
                      
                         <!-- Security roles applicable to this application -->
                        
                      <security-role>
                            <role-name>admin</role-name>
                         </security-role>
                         <security-role>
                            <role-name>normal</role-name>
                         </security-role>
                      

                       

                       

                      As for whether you'll be allowed to configure the allRolesMode (that's what it's called) in AS7, like the previous versions, someone from the AS web team would know.

                      • 11. Re: Authentication issue in AS7
                        Rich Midwinter Newbie

                        Spot on! Much appreciated.

                         

                        Thanks.