0 Replies Latest reply: May 9, 2012 4:36 PM by Steven Boscarine RSS

    Quickstart or tutorial for using security in JBoss AS 7.1?

    Steven Boscarine Novice

      Hello All,

      Is there a tutorial or quickstart that shows how to secure an app, like the quickstarts, using the built-in ApplicationRealm?

       

       

      I am porting an application from 4.x to AS7.1/EAP6.  I am having issues with the security and cannot figure out how to port our LDAP config.  Breaking the issue down step by step, I took the following troubleshooting steps:

      • created a tiny app w/ 2 servlets /secured and /unsecured
      • tried securing the secured servlet with my LDAP config
      • when that failed, I tried securing it using the properties file based ApplicationRealm

       

      I have the default realm:

      <security-realms>
          <security-realm name="ManagementRealm">
              <authentication>
                  <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
              </authentication>
          </security-realm>
          <security-realm name="ApplicationRealm">
              <authentication>
                  <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
              </authentication>
          </security-realm>
      

      I created users with add-user.bat and confirmed in application-roles.properties:

      sboscarine=foo,bar
      admin=foo,bar
      

      My servlet is:

      @WebServlet(value = "/secured", loadOnStartup = 1)
      @ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.NONE, rolesAllowed = { "foo" }))
      public class SecuredServlet extends HttpServlet {
      
        @Override
        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          response.setContentType("text/plain");
          response.getWriter().write("secured! \n\n");
          response.getWriter().write(new Date().toString());
        }
      
        private static final long serialVersionUID = 1L;
      
      }
      

      my web.xml

      <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
      
          <description>Our canary in a coal mine</description>
          <display-name>Canary Security Tests</display-name>
      
          <security-role>
              <description>foo</description>
              <role-name>foo</role-name>
          </security-role>
      
        <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>ApplicationRealm</realm-name>
        </login-config>
      </web-app>
      

      my jboss-web.xml

      <?xml version="1.0"?>
      <jboss-web>
          <security-domain>ApplicationRealm</security-domain>
          <security-role>
              <role-name>foo</role-name>
              <principal-name>foo</principal-name>
          </security-role>
      </jboss-web>
      

      Yet I can't figure out why my un/pw is wrong (tried 2 different names).  I get:

       

      15:17:11,020 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.lo
      gin.FailedLoginException: Password Incorrect/Password Required
              at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]
      
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_31]
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_31]
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_31]
              at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_31]
              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_31]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
              at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_31]
      

      Any advice for troubleshooting?