5 Replies Latest reply on Apr 19, 2012 10:47 PM by Maurício Martins

    JAAS Database on Jboss AS 7.1.1.Final

    Maurício Martins Newbie

      Hello, I have this configuration:

       

      standalone.xml:

       

      <subsystem xmlns="urn:jboss:domain:security:1.1">
                <security-domains>
                      <security-domain name="MaterialWeb">
                          <authentication>
                              <login-module code="Database" flag="required">
                                  <module-option name="dsJndiName" value="java:jboss/datasources/OracleFloripaMaterialWeb"/>
                                  <module-option name="principalsQuery" value="SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)"/>
                                  <module-option name="rolesQuery" value="SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, 
                                                                                                 CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND 
                                                                                                 UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA"/>
                              </login-module>
                          </authentication>
                      </security-domain>
             </security-domains>
      </subsystem>
      

       

      jboss-web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
          <security-domain>java:/jaas/MaterialWeb</security-domain>   
      </jboss-web>
      

       

       

      web.xml:

       

      <security-constraint>
            <web-resource-collection>
                <web-resource-name>Url de autenticacao</web-resource-name>
                <url-pattern>/material.html</url-pattern>
           </web-resource-collection>
           <auth-constraint>
                <role-name>*</role-name>
           </auth-constraint>
           <user-data-constraint>
                <transport-guarantee>NONE</transport-guarantee>
           </user-data-constraint>
      </security-constraint>
      <login-config>
           <auth-method>FORM</auth-method>
           <form-login-config>
                <form-login-page>/Login.html</form-login-page>
                <form-error-page>/index.jsp</form-error-page>
           </form-login-config>
      </login-config>
      

       

      and when I try login, show the message: HTTP Status 403 - Access to the requested resource has been denied

      User and pass are corrects. I test both queries (principalsQuery, rolesQuery) and work. Both queries show result correct with my user at pl/sql program.

       

      If I change the standalone.xml

       

      <subsystem xmlns="urn:jboss:domain:security:1.1">

                <security-domains>

                      <security-domain name="MaterialWeb" cache-type="default">

                          <authentication>

                              <login-module code="Database" flag="required">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/OracleFloripaMaterialWeb"/>

                                  <module-option name="principalsQuery" value="SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)"/>

                                  <module-option name="rolesQuery" value="SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA,

                                                                                                 CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND

                                                                                                 UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA"/>

                                  <module-option name="hashAlgorithm" value="SHA-256"/>

                                  <module-option name="hashEncoding" value="base64"/>

                              </login-module>

                          </authentication>

                      </security-domain>

             </security-domains>

      </subsystem>

       

      JBoss redirect to page: index.jsp configured at web.xml

           <form-error-page>/index.jsp</form-error-page>

       

      This application work  at jboss 5.1, but when I migrated to JBoss 7.1, its didnt work.

      Anyone can help me?

        • 1. Re: JAAS Database on Jboss AS 7.1.1.Final
          Wolfgang Knauf Master

          Hi,

           

          for previous jboss versions, I would have suggested to activate logging of the security layer as described here: https://community.jboss.org/wiki/SecurityFAQ (question 4). But I did not test whether this guide is still valid for AS7. Could you give it a try? If it works, you should see e.g. security errors. Maybe there is something wrong with your config.

          If you succeed in activating the logging, you might update the wiki - probably it needs updates for AS7.

           

          As far as I remember, in "jboss-web.xml" you don't need the "java:/jaas/" prefix, the name of the security domain should be enough.

           

          Hope this helps

           

          Wolfgang

          • 2. Re: JAAS Database on Jboss AS 7.1.1.Final
            Maurício Martins Newbie

            Hi Wolfgang,

             

            I activated logging and show these messages bellow, but I understand that login normal in the application and when redirect to original path (page: /material.html) it didnt work.

             

             

            16:05:48,740 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
            16:05:48,742 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request POST /material/j_security_check
            16:05:48,744 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authenticating username 'ATIMO'
            16:05:48,746 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Begin isValid, principal:ATIMO, cache entry: null
            16:05:48,749 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=ATIMO
            16:05:48,751 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(MaterialWeb), size=4
            16:05:48,759 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(MaterialWeb), authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:
            name=principalsQuery, value=SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)
            name=dsJndiName, value=java:jboss/datasources/OracleFloripaMaterialWeb
            name=rolesQuery, value=SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA
            
            16:05:48,775 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) initialize
            16:05:48,777 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Security domain: MaterialWeb
            16:05:48,778 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) DatabaseServerLoginModule, dsJndiName=java:jboss/datasources/OracleFloripaMaterialWeb
            16:05:48,781 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) principalsQuery=SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?)
            16:05:48,783 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) rolesQuery=SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA
            16:05:48,788 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendResume=true
            16:05:48,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) login
            16:05:48,792 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendAnyTransaction
            16:05:48,795 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: SELECT upper(CA.PKG_ACESSO.F_DECRIPTA(U.PWD)) FROM CA.USUARIO U WHERE U.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?), with username: ATIMO
            16:05:48,800 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Obtained user password
            16:05:48,801 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) resumeAnyTransaction
            16:05:48,803 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) User 'ATIMO' authenticated, loginOk=true
            16:05:48,805 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) commit, loginOk=true
            16:05:48,808 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) getRoleSets using rolesQuery: SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA, username: ATIMO
            16:05:48,816 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendAnyTransaction
            16:05:48,818 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: SELECT TA.SIGLA_TAREFA, 'Roles' FROM CA.TAREFA TA, CA.USUARIO US, CA.A_USUARIO_CLASSE_ACESSO UCA, CA.A_CLASSE_ACESSO_TAREFA CAT WHERE US.LOGIN_USUARIO = CA.PKG_ACESSO.F_ENCRIPTA(?) AND UCA.IDN_USUARIO = US.ID_USUARIO AND UCA.IDN_CLASSE_ACESSO = CAT.IDN_CLASSE_ACESSO AND TA.ID_TAREFA = CAT.IDN_TAREFA, with username: ATIMO
            16:05:48,836 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Assign user to role MAT_CAD_CONVEN
            16:05:48,838 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) resumeAnyTransaction
            16:05:48,841 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@c68de1, subject=Subject(167926).principals=org.jboss.security.SimplePrincipal@17630026(ATIMO)org.jboss.security.SimpleGroup@16568366(CallerPrincipal(members:ATIMO))org.jboss.security.SimpleGroup@16568366(Roles(members:MAT_CAD_CONVEN))
            16:05:48,846 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) End isValid, true
            16:05:48,848 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) User: ATIMO is authenticated
            16:05:48,853 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authentication of 'ATIMO' was successful
            16:05:48,855 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Redirecting to original '/material/material.html'
            16:05:48,857 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed authenticate() test ??/material/j_security_check
            16:05:48,859 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
            16:05:48,860 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
            16:05:48,874 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
            16:05:48,875 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Restoring principal info from cache
            16:05:48,877 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /material/material.html
            16:05:48,879 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Url de autenticacao]' against GET /material.html --> true
            16:05:48,881 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
            16:05:48,882 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   User data constraint has no restrictions
            16:05:48,884 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
            16:05:48,885 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Restore request from session '1PftschzfSk1mqgGkARkCeZD.undefined'
            16:05:48,887 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Authenticated 'ATIMO' with type 'FORM'
            16:05:48,889 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Proceed to restored request
            16:05:48,890 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling accessControl()
            16:05:48,892 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking roles GenericPrincipal[ATIMO(MAT_CAD_CONVEN,)]
            16:05:48,894 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) hasResourcePermission:RealmBase says:false::Authz framework says:true:final=false
            16:05:48,895 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed accessControl() test
            16:05:48,897 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
            16:05:48,898 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
            16:05:48,913 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Begin invoke, caller=null
            16:05:48,915 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) Restoring principal info from cache
            16:05:48,916 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /material/material.html
            16:05:48,918 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) We have cached auth type FORM for principal GenericPrincipal[ATIMO(MAT_CAD_CONVEN,)]
            16:05:48,920 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[Url de autenticacao]' against GET /material.html --> true
            16:05:48,922 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
            16:05:48,924 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   User data constraint has no restrictions
            16:05:48,925 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
            16:05:48,927 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Already authenticated 'ATIMO'
            16:05:48,928 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling accessControl()
            16:05:48,930 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking roles GenericPrincipal[ATIMO(MAT_CAD_CONVEN,)]
            16:05:48,931 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) hasResourcePermission:RealmBase says:false::Authz framework says:true:final=false
            16:05:48,933 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed accessControl() test
            16:05:48,935 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-1) End invoke, caller=null
            16:05:48,936 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
            16:09:26,828 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862566828 sessioncount 0
            16:09:26,831 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 3 expired sessions: 0
            16:09:26,833 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862566833 sessioncount 1
            16:09:26,835 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0
            16:10:26,844 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862626844 sessioncount 0
            16:10:26,846 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0
            16:10:26,848 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862626848 sessioncount 1
            16:10:26,851 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 3 expired sessions: 0
            16:11:26,859 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862686859 sessioncount 0
            16:11:26,861 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0
            16:11:26,863 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1334862686863 sessioncount 1
            16:11:26,865 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 2 expired sessions: 0
            

             

            Att,

             

            Maurício

            • 3. Re: JAAS Database on Jboss AS 7.1.1.Final
              Wolfgang Knauf Master

              That's strange, because the JBoss authentication seems to have worked, but nevertheless the web layer does not allow access.

               

              As I didn't have tested security in AS7, this is new to me, too.

               

              But two ideas:

              1) https://community.jboss.org/wiki/JBossAS7SecurityAuditing has a war file attached. Here, "web.xml" contains an element "realm-name" in the "login-config" element. Maybe this is required now. But I did not find any hints on whether this Realm name is used in any other place. Maybe it just has to be present.


              2) https://community.jboss.org/wiki/JBossAS7SecurityDomainModel links to https://community.jboss.org/wiki/PrimerOnWebSecurityInJBossAS , and here I find this:

               

              {quote}

              In JBoss AS 7.1 and beyond, for the web authorization, the JBoss Authorization Modules are not called until you specify the <use-jboss-authorization/> flag in jboss-web.xml

              {quote}

               

              So, maybe you should try this flag.

               

              But according to the code for "JBossWebRealm.hasResourcePermission" at https://github.com/jbossas/jboss-as/blob/master/web/src/main/java/org/jboss/as/web/security/JBossWebRealm.java seeem to do MORE security checks if this flag is set. So it should work even less with this flag ;-)

               

              Best regards

               

              Wolfgang

              • 5. Re: JAAS Database on Jboss AS 7.1.1.Final
                Maurício Martins Newbie

                Hi Stephen, your link solve my problem.

                 

                But to complement, if you wish keep "*" in your web.xml, add <security-role><role-name>*</role-name></security-role> after </login-config>.

                 

                Thanks so much Stephen and Wolfgang.

                 

                Att.

                 

                Maurício

                1 of 1 people found this helpful