0 Replies Latest reply on Sep 14, 2012 1:38 PM by Sara S

    Issues with Form Based Authentication in Jboss EAP 6.0

    Sara S Newbie

      Hi All,

       

      I am a new bee to JBOSS.After reading many of the posts and documentation i took up the the task of configuring Form based authentication for my application.

      I have my own custom defined Login.jsp and Logout.jsp .Below are the configuration files snippets.

       

      Web.xml

      **************

        

      <login-config>

              <auth-method>FORM</auth-method>

              <form-login-config> 

                 <form-login-page>/scs_ad_login.jsp</form-login-page> 

                 <form-error-page>/error.jsp</form-error-page> 

              </form-login-config> 

          </login-config>

        <security-constraint>

            <display-name>Restrict access to Protected Area</display-name>

            <web-resource-collection>

                <web-resource-name>Protected Area</web-resource-name>  

                  <url-pattern>*.jsp</url-pattern>  

                  <url-pattern>*.do</url-pattern> 

             </web-resource-collection>

               <auth-constraint>

                  <role-name>sds</role-name>

               </auth-constraint>

          </security-constraint>

      <security-role>

              <description>Test Role</description>

              <role-name>sds</role-name>

          </security-role>

       

               

      Jboss-Web.xml

      ********************

       

      <jboss-web>

          <context-root>/SCSWeb</context-root>

          <security-domain flushOnSessionInvalidation="true">LdapToActiveRealm</security-domain>

      </jboss-web>

       

       

       

      Standalone.xml

      ***********************

       

      Note:sAMAccountName = abc (this value is entered as login id for most of our applications.So it is what is entered in the login .jsp for any user)

              cn=Lastname,First Name

             

       

       

      <security-domain name="LdapToActiveRealm">
                          <authentication>
                              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                                  <module-option name="java.naming.provider.url" value="ldap://****:389/"/>
                                  <module-option name="java.naming.security.authentication" value="simple"/>
                                  <module-option name="principalDNPrefix" value="CN=Sara,Sai"/>
                                  <module-option name="principalDNSuffix" value=",OU=SDSTemps,OU=SDS,DC=***,DC=***,DC=com"/>
                                  <module-option name="uidAttributeID" value="sAMAccountName"/>
             <module-option name="rolesCtxDN" value="CN=Person,CN=Schema,CN=Configuration,DC=***,DC=***,DC=com"/>
                                  <module-option name="matchOnUserDN" value="false"/>
                                  <module-option name="roleAttributeID" value="memberOf"/>
                                  <module-option name="roleAttributeIsDN" value="false"/>
                                  <module-option name="throwValidateError" value="true"/>
             <module-option name="bindDN" value="OU=SDSTemps,OU=SDS,DC=***,DC=***,DC=com"/>
                                  <module-option name="bindCredential" value="****"/>
                               </login-module>

                         </authentication>
                      </security-domain>

       

              <security-realms>

                  <security-realm name="ManagementRealm">

                      <authentication>

                          <ldap connection="ldap_connection" base-dn="DC=***,DC=***,DC=com" recursive="true">

                              <advanced-filter filter="(sAMAccountName={0})"/>

                          </ldap>

                      </authentication>

                  </security-realm>

                  <security-realm name="ApplicationRealm">

                      <authentication>

                          <ldap connection="ldap_connection" base-dn="DC=***,DC=***,DC=com" recursive="true">

                              <advanced-filter filter="(sAMAccountName={0})"/>

                          </ldap>

                      </authentication>

                      <authorization>

                          <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                      </authorization>

                  </security-realm>

              </security-realms>

              <outbound-connections>

                  <ldap name="ldap_connection" url="ldap://***:389" search-dn="jbossuserdel" search-credential="${VAULT::ldap::jbossuserdel::***********}"/>

              </outbound-connections>

       

       

       

       

       

      Login.jsp

      *************

       

       

       

       

       

      <form method="POST" action="j_security_check">

        User Name: <input type="text" name="j_username" /><br />

        Password: <input type="password" name="j_password" /><br />

        <input type="submit" value="Login" />

      </form>

       

       

       

      Error Log:

      ************

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

      12:41:40,628 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost/127.0.0.1:8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:293) [picketbox-4.0.9.Final-redhat-1.jar:4.0.9.Final-redhat-1]

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_03]

      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) [rt.jar:1.6.0_03]

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) [rt.jar:1.6.0_03]

      at java.lang.reflect.Method.invoke(Unknown Source) [rt.jar:1.6.0_03]

      at javax.security.auth.login.LoginContext.invoke(Unknown Source) [rt.jar:1.6.0_03]

      at javax.security.auth.login.LoginContext.access$000(Unknown Source) [rt.jar:1.6.0_03]

      at javax.security.auth.login.LoginContext$4.run(Unknown Source) [rt.jar:1.6.0_03]

      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_03]

      at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) [rt.jar:1.6.0_03]

      at javax.security.auth.login.LoginContext.login(Unknown Source) [rt.jar:1.6.0_03]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.9.Final-redhat-1.jar:4.0.9.Final-redhat-1]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.9.Final-redhat-1.jar:4.0.9.Final-redhat-1]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.9.Final-redhat-1.jar:4.0.9.Final-redhat-1]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.9.Final-redhat-1.jar:4.0.9.Final-redhat-1]

      at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]

      at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]

      at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.16.Final-redhat-1.jar:]

      at java.lang.Thread.run(Unknown Source) [rt.jar:1.6.0_03]

      Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

       

       

       

       

      *****************************************************************

       

      Can anyone please help me!!!!!

       

      My questions are :

       

      1)Did i configure the stanalone.xml properly.

      2)I am currently using the login credentials of myself in the login module.And also using my own credentials while loging into the application.Will that cause a problem.Do i need to place a different login account in the standalone xml as it is being used by the server to authenticate user

      3)I want to fetch the roles which are part of memberOf components of LDAP/AD. So not sure what i should place in the application realm.I need help with application and management realm details.

      4)I am able to authenticate user programatically invoking a filter and setting the roles as part of the request object.But i don't want existing code to be modified for verifying the roles.Hence i am tring to use declarative approach so that request object return me true/false once i invoke isUserInRole method which is how my existing code is .

      Note:We are currently swtichin from Weblogic to Jboss and hence we are encoutnering basic configuration issues.