7 Replies Latest reply on Apr 9, 2002 3:35 PM by ppetit

    Security Exception at deployement of an EJB with JBoss v3 be

    ppetit Newbie

      Hi,

      With a fresh CVS rebuild using JDK 1.3.1-03 on W2K, when I try do deploy EJBs that perfectly worked with JBoss V3 alpha I get a security exception at deplyement time.
      I'm using my previous auth.conf file.
      here is part of the log :
      09:34:27,194 INFO [MainDeployer] Starting deployment of package: file:/L:/Distrib_Dhagpo/jboss-3.0.0/server/default/dep
      loy/SagaServer.ear
      09:34:27,204 INFO [EARDeployer] Init J2EE application: file:/L:/Distrib_Dhagpo/jboss-3.0.0/server/default/deploy/SagaSe
      rver.ear
      09:34:27,675 INFO [EjbModule] Creating
      09:34:27,695 INFO [EjbModule] Deploying Don
      09:34:27,755 INFO [JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@b1a4f

      09:34:27,755 INFO [JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@6c5482
      09:34:27,755 INFO [JaasSecurityManagerService] Added Saga, org.jboss.security.plugins.SecurityDomainContext@205756 to m
      ap
      09:34:28,176 INFO [EjbModule] Deploying DonCollection
      09:34:28,536 ERROR [EntityContainer] Exception in service lifecyle operation: create
      java.lang.SecurityException: Invalid authentication attempt, principal=null
      at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:542)
      at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:39
      8)
      at org.jboss.resource.adapter.jdbc.JDBCDataSource.getConnection(JDBCDataSource.java:110)
      at org.jboss.ejb.plugins.jaws.jdbc.JDBCCommand.getConnection(JDBCCommand.java:694)
      at org.jboss.ejb.plugins.jaws.jdbc.JDBCInitCommand.execute(JDBCInitCommand.java:120)
      at org.jboss.ejb.plugins.jaws.JAWSPersistenceManager.create(JAWSPersistenceManager.java:130)
      at org.jboss.ejb.plugins.CMPPersistenceManager.create(CMPPersistenceManager.java:138)
      at org.jboss.ejb.EntityContainer.create(EntityContainer.java:329)
      at org.jboss.ejb.Container.invoke(Container.java:765)
      at org.jboss.ejb.EntityContainer.invoke(EntityContainer.java:1003)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:805)
      at $Proxy1.create(Unknown Source)
      at org.jboss.system.ServiceController.create(ServiceController.java:239)
      at java.lang.reflect.Method.invoke(Native Method)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
      at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
      at $Proxy22.create(Unknown Source)
      at org.jboss.ejb.EjbModule.createService(EjbModule.java:345)
      at org.jboss.system.ServiceMBeanSupport.create(ServiceMBeanSupport.java:134)

      What should I fix in new conf files to allow connection to Hypersonic ? I tried to set "sa" here
      <config-property>
      <config-property-name>UserName</config-property-name>
      <config-property-type>java.lang.String</config-property-type>
      <config-property-value>sa</config-property-value>
      </config-property>

      in new-hsqldb-default-service.xml, but without any success...

      is there a new doco concerning all the new requirements of beta2, or an idea of availibility time ?

      Thanks to all for your help.
      Philippe

        • 1. Re: Security Exception at deployement of an EJB with JBoss v
          David Jencks Master

          You have to use the new auth.conf file, or at least the stuff that sets up db authentication. db security is now managed through JAAS and login modules.

          • 2. Re: Security Exception at deployement of an EJB with JBoss v
            ppetit Newbie

            I used the new auth.conf file, added the specific database module that used to work with the alpha version, and I get the same error messages :

            16:13:05,343 INFO [EARDeployer] Init J2EE application: file:/L:/Distrib_Dhagpo/jboss-3.0.0/server/default/deploy/SagaSe
            rver.ear
            16:13:05,843 INFO [EjbModule] Creating
            16:13:05,874 INFO [EjbModule] Deploying User
            16:13:06,364 INFO [EjbModule] Deploying UserCollection
            16:13:06,855 ERROR [EntityContainer] Exception in service lifecyle operation: create
            java.lang.SecurityException: Invalid authentication attempt, principal=null
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:542)
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:39
            8)
            at org.jboss.resource.adapter.jdbc.JDBCDataSource.getConnection(JDBCDataSource.java:110)
            at org.jboss.ejb.plugins.jaws.jdbc.JDBCCommand.getConnection(JDBCCommand.java:694)
            at org.jboss.ejb.plugins.jaws.jdbc.JDBCInitCommand.execute(JDBCInitCommand.java:120)
            at org.jboss.ejb.plugins.jaws.JAWSPersistenceManager.create(JAWSPersistenceManager.java:130)
            at org.jboss.ejb.plugins.CMPPersistenceManager.create(CMPPersistenceManager.java:138)
            at org.jboss.ejb.EntityContainer.create(EntityContainer.java:329)
            at org.jboss.ejb.Container.invoke(Container.java:765)
            at org.jboss.ejb.EntityContainer.invoke(EntityContainer.java:1003)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:805)
            at $Proxy1.create(Unknown Source)
            at org.jboss.system.ServiceController.create(ServiceController.java:239)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
            at $Proxy22.create(Unknown Source)
            at org.jboss.ejb.EjbModule.createService(EjbModule.java:345)
            at org.jboss.system.ServiceMBeanSupport.create(ServiceMBeanSupport.java:134)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:805)
            at $Proxy1.create(Unknown Source)
            at org.jboss.system.ServiceController.create(ServiceController.java:239)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
            at $Proxy6.create(Unknown Source)
            at org.jboss.ejb.EJBDeployer.create(EJBDeployer.java:372)
            at org.jboss.deployment.MainDeployer.create(MainDeployer.java:633)
            at org.jboss.deployment.MainDeployer.create(MainDeployer.java:627)
            at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:516)
            at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:480)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
            at $Proxy5.deploy(Unknown Source)
            at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:329)
            at org.jboss.deployment.scanner.URLDeploymentScanner.scanDirectory(URLDeploymentScanner.java:516)
            at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:389)
            at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:237)
            at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:162)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:805)
            at $Proxy1.start(Unknown Source)
            at org.jboss.system.ServiceController.start(ServiceController.java:309)
            at org.jboss.system.ServiceController.start(ServiceController.java:327)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:324)
            at org.jboss.system.server.ServerImpl.start(ServerImpl.java:213)
            at org.jboss.Main.boot(Main.java:138)
            at org.jboss.Main$1.run(Main.java:371)
            at java.lang.Thread.run(Thread.java:479)
            16:13:08,167 INFO [EjbModule] Remove JSR-77 EJB Module: jboss.management.single:J2EEApplication=SagaServer.ear,J2EEServ
            er=Single,j2eeType=EJBModule,name=users.jar
            16:13:08,207 ERROR [EjbModule] Initialization failed
            java.lang.SecurityException: Invalid authentication attempt, principal=null
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:542)
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:39
            8)
            at org.jboss.resource.adapter.jdbc.JDBCDataSource.getConnection(JDBCDataSource.java:110)
            at org.jboss.ejb.plugins.jaws.jdbc.JDBCCommand.getConnection(JDBCCommand.java:694)
            at org.jboss.ejb.plugins.jaws.jdbc.JDBCInitCommand.execute(JDBCInitCommand.java:120)
            at org.jboss.ejb.plugins.jaws.JAWSPersistenceManager.create(JAWSPersistenceManager.java:130)
            at org.jboss.ejb.plugins.CMPPersistenceManager.create(CMPPersistenceManager.java:138)
            at org.jboss.ejb.EntityContainer.create(EntityContainer.java:329)
            at org.jboss.ejb.Container.invoke(Container.java:765)
            at org.jboss.ejb.EntityContainer.invoke(EntityContainer.java:1003)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:805)
            at $Proxy1.create(Unknown Source)
            at org.jboss.system.ServiceController.create(ServiceController.java:239)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
            at $Proxy22.create(Unknown Source)
            at org.jboss.ejb.EjbModule.createService(EjbModule.java:345)
            at org.jboss.system.ServiceMBeanSupport.create(ServiceMBeanSupport.java:134)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:805)
            at $Proxy1.create(Unknown Source)
            at org.jboss.system.ServiceController.create(ServiceController.java:239)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
            at $Proxy6.create(Unknown Source)
            at org.jboss.ejb.EJBDeployer.create(EJBDeployer.java:372)
            at org.jboss.deployment.MainDeployer.create(MainDeployer.java:633)
            at org.jboss.deployment.MainDeployer.create(MainDeployer.java:627)
            at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:516)
            at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:480)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
            at $Proxy5.deploy(Unknown Source)
            at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:329)
            at org.jboss.deployment.scanner.URLDeploymentScanner.scanDirectory(URLDeploymentScanner.java:516)
            at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:389)
            at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:237)
            at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:162)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:805)
            at $Proxy1.start(Unknown Source)
            at org.jboss.system.ServiceController.start(ServiceController.java:309)
            at org.jboss.system.ServiceController.start(ServiceController.java:327)
            at java.lang.reflect.Method.invoke(Native Method)
            at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
            at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:441)
            at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:324)
            at org.jboss.system.server.ServerImpl.start(ServerImpl.java:213)
            at org.jboss.Main.boot(Main.java:138)
            at org.jboss.Main$1.run(Main.java:371)
            at java.lang.Thread.run(Thread.java:479)
            16:13:09,529 ERROR [MainDeployer] could not create deployment :njar:file:/L:/Distrib_Dhagpo/jboss-3.0.0/server/default/t
            mp/deploy/L/Distrib_Dhagpo/jboss-3.0.0/server/default/deploy/SagaServer.ear/70.SagaServer.ear^/users.jar
            org.jboss.deployment.DeploymentException: error in create of EjbModule: njar:file:/L:/Distrib_Dhagpo/jboss-3.0.0/server/
            default/tmp/deploy/L/Distrib_Dhagpo/jboss-3.0.0/server/default/deploy/SagaServer.ear/70.SagaServer.ear^/users.jar; - nes
            ted throwable is: java.lang.SecurityException: Invalid authentication attempt, principal=null
            java.lang.SecurityException: Invalid authentication attempt, principal=null
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:542)
            at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:39
            8)
            at org.jboss.resource.adapter.jdbc.JDBCDataSource.getConnection(JDBCDataSource.java:110)
            at org.jboss.ejb.plugins.jaws.jdbc.JDBCCommand.getConnection(JDBCCommand.java:694)
            at org.jboss.ejb.plugins.jaws.jdbc.JDBCInitCommand.execute(JDBCInitCommand.java:120)
            at org.jboss.ejb.plugins.jaws.JAWSPersistenceManager.create(JAWSPersistenceManager.java:130)
            at org.jboss.ejb.plugins.CMPPersistenceManager.create(CMPPersistenceManager.java:138)

            here is the content of my auth.conf :

            /// ====================================================================== ///
            // //
            // JBoss Authentication Module Configuration //
            // //
            /// ====================================================================== ///

            // $Id: auth.conf,v 1.10 2002/03/24 21:44:32 d_jencks Exp $

            // Put login modules providing authentication and realm mappings
            // for security domains.

            simple {
            // Very simple login module:
            // any user name is accepted.
            // password should either coincide with user name or be null,
            // all users have role "guest",
            // users with non-null password also have role "user"
            org.jboss.security.auth.spi.SimpleServerLoginModule required;
            };

            // Used by clients within the application server VM such as
            // mbeans and servlets that access EJBs.
            client-login {
            org.jboss.security.ClientLoginModule required;
            };

            // The default server login module
            other {
            // A simple server login module, which can be used when the number
            // of users is relatively small. It uses two properties files:
            // users.properties, which holds users (key) and their password (value).
            // roles.properties, which holds users (key) and a comma-separated list of their roles (value).
            // The unauthenticatedIdentity property defines the name of the principal
            // that will be used when a null username and password are presented as is
            // the case for an unuathenticated web client or MDB. If you want to
            // allow such users to be authenticated add the property, e.g.,
            // unauthenticatedIdentity="nobody"
            org.jboss.security.auth.spi.UsersRolesLoginModule required
            ;
            };

            // Security domain for JBossMQ
            jbossmq {
            //
            // Security domain for JBossMQ. Other Login modules may be used.
            org.jboss.mq.sm.file.DynamicLoginModule required
            unauthenticatedIdentity="guest"
            sm.objectname="jboss.mq:service=StateManager"
            ;
            };

            // Security domain for testing new jca framework
            DefaultDbRealm {
            //
            // Security domain for new jca framework.
            // One per ManagedConnectionFactory are required.
            org.jboss.resource.security.ConfiguredIdentityLoginModule required
            principal="sa"
            userName="sa"
            password=""
            managedConnectionFactoryName="jboss.jca:service=LocalTxCM"
            ;
            };

            JmsXARealm {
            //
            // Security domain for new jca framework.
            // One per ManagedConnectionFactory are required.
            org.jboss.resource.security.ConfiguredIdentityLoginModule required
            principal="guest"
            userName="guest"
            password="guest"
            managedConnectionFactoryName="jboss.jca:service=JmsXACM"
            ;
            };


            // Login module pour Saga
            Saga {
            // utilisation des tables User et UsersRole pour récupérer l'authentification et les droits
            org.jboss.security.plugins.samples.DatabaseServerLoginModule required
            dsJndiName="java:/DefaultDS"
            principalsQuery="select Password from User where ID=?"
            rolesQuery="select ROLE, RoleGroup from UsersRole where ID=?"
            ;
            };

            so David any idea ?

            • 3. Re: Security Exception at deployement of an EJB with JBoss v
              David Jencks Master

              I don't have much in the way of an idea. Can you turn off the database login module and let everyone login as someone with all permissions and see if the problem goes away? (This ought to determine if the problem is due to an interaction between login modules/security domains or some kind of problem with the db stuff alone) Are you using hsqldb? Can you show the connection manager configuration, especially the security domain jndi name?

              Thanks
              david jencks

              • 4. Re: Security Exception at deployement of an EJB with JBoss v
                David Jencks Master

                I managed to get this problem also, now;-)

                Make _sure_ the mbean name in auth.conf is exactly the same as the mbean name you have in the connectionmanager config.

                I will see if I can provide a more informative error message;-)

                david jencks

                • 5. Re: Security Exception at deployement of an EJB with JBoss v
                  ppetit Newbie

                  Hi David,
                  Sorry for the silence...
                  I found this class in the source :
                  org\jboss\security\auth\spi\DatabaseServerLoginModule.java

                  is it the new path for the dtabase login module to set up in the auth.conf ? It looks like...

                  Could you confirm ?
                  Thanks for your help.

                  Philippe

                  • 6. Re: Security Exception at deployement of an EJB with JBoss v
                    David Jencks Master

                    Nope,

                    DatabaseServerLoginModule uses a db table to get authentication info for "initial" login to the app.

                    Now you need a ConfiguredIdentityLogin module for each datasource like this:

                    MySqlDbRealm {
                    //
                    // Security domain for new jca framework.
                    // One per ManagedConnectionFactory are required.
                    org.jboss.resource.security.ConfiguredIdentityLoginModule required
                    principal="sysdba"
                    userName="sysdba"
                    password="masterkey"
                    managedConnectionFactoryName="jboss.jca:service=LocalTxCM,name=MySqlDS"
                    ;
                    };


                    My previous post was saying that the managedConnectionFactoryName must exactly match the connectionmanager object name in the *service.xml.

                    We also need login modules that simply use the callers' identity/password and that map the callers' identity, but I haven't written them yet.

                    I don't know what will happen if we had a mapping set up for the adapter and were using the DatabaseServerLoginModule for initial login....how would the DatabaseServerLoginModule get a connection?


                    • 7. Re: Security Exception at deployement of an EJB with JBoss v
                      ppetit Newbie

                      Yes David I have ConfiguredIdentityLogin in the auth.conf 'cause I'm using the new default auth.conf. I just appended to it the JAAS module I used with success from 2.2 version.
                      My managedConnectionFactoryName is also good 'cause of out of the box conf files (I use HSQLDB).
                      I just have now a pb with dsJndiName

                      if you have a auth.conf file with a JAAS example I think it will be ok with me.

                      Thanks
                      Philippe