2 Replies Latest reply on Oct 12, 2011 6:30 PM by Brian Richardson

    Yet another JBoss 5.1/EJB3 security question

    Brian Richardson Newbie

      I've been all over the web looking for an answer to this question. JBoss 5.1 seems to be outright ignoring the application policy I have defined in login-config.xml. The EJB is secured correctly, but it is using the wrong login mechanism.

       

      login-config.xml:

       

      <application-policy name="mine">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

            <module-option name="dsJndiName">java:/MyDS</module-option>

            <module-option name="principalsQuery">

              SELECT passwordHash FROM account WHERE email = ?

            </module-option>

            <module-option name="rolesQuery">

              SELECT roleName, 'Roles' FROM account_roles WHERE email = ?

            </module-option>

            <module-option name="hashAlgorithm">MD5</module-option>

            <module-option name="hashEncoding">BASE64</module-option>

            <module-option name="unauthenticatedIdentity">guest</module-option>

      </login-module>

      </application-policy>

       

      The associated EJB Session bean:

       

      import org.jboss.ejb3.annotations.SecurityDomain; // yes, I am using the correct annotation

       

      @Stateless

      @RemoteBinding(jndiName="mine/AccountHome/remote")

      @SecurityDomain("mine")

      @DeclareRoles({"admin", "member"})

      @RolesAllowed({"admin"})

      public class AccountHome implements AccountHomeRemote {

           ...

           @PermitAll

           public boolean changePassword(Account a, String oldPass, String newPass)  {

                ...

           }

      }

       

      However, when I try to deploy the EAR containing this EJB JAR, I get the following exception:

       

      ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files

      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found

                at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)

                at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)

                at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)

                at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

                at java.lang.reflect.Method.invoke(Unknown Source)

                at javax.security.auth.login.LoginContext.invoke(Unknown Source)

      ...

       

      Why is JBoss trying to load the UserRolesLoginModule when I have specifically stated that I want to use DatabaseServerLoginModule?

        • 1. Re: Yet another JBoss 5.1/EJB3 security question
          Brian Richardson Newbie

          OK, /facepalm for disabling HsqlDbRealm in login-config.xml

           

          Enabling TRACE logging reveals the following:

           

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.PolicyConfig, localName: application-policy

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.PolicyConfig, AuthenticationInfo: mine

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: login-module

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option

          2011-10-12 15:42:51,474 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) newChild.ApplicationPolicy, localName: module-option

          2011-10-12 15:42:51,475 TRACE [org.jboss.security.auth.login.LoginConfigObjectModelFactory] (main) Added ApplicationPolicy to PolicyConfig, name: mine

           

          But when connecting from an EJB application client using SecurityClient.setJAAS, the following problem occurs:

           

          2011-10-12 15:46:15,394 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.mine] (WorkerThread#0[127.0.0.1:58448]) Begin isValid, principal:me@my.ca, cache info: null

          2011-10-12 15:46:15,394 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.mine] (WorkerThread#0[127.0.0.1:58448]) defaultLogin, principal=me@my.ca

          2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) Begin getAppConfigurationEntry(mine), size=12

          2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) getAppConfigurationEntry(mine), no entry in appConfigs, tyring parentCont: null

          2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) getAppConfigurationEntry(mine), no entry in parentConfig, trying: other

          2011-10-12 15:46:15,394 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (WorkerThread#0[127.0.0.1:58448]) End getAppConfigurationEntry(mine), authInfo=AppConfigurationEntry[]:

          [0]

           

          So, because JBoss can't find the application policy, it is trying "other", which explains the previous post's exception. However, it appears that the login-config.xml was correctly parsed on startup, and did in fact create a policy called "mine". So, what am I missing?

          • 2. Re: Yet another JBoss 5.1/EJB3 security question
            Brian Richardson Newbie

            And /facepalm again. The login-module stuff is supposed to be between <authentication> tags. Oops.