JBoss 7.1.1.Final - Custom Login configuration Problem - all modules ignored / Access to the requested resource has been denied
sanssan Jan 11, 2013 5:14 AMHi,
I have been migrating an applicaiton from JBoss 3.x to JBoss AS 7.1.1.Final.
Having some strange errors on Custom Login Configuration:
jboss-web.xml
<?xml version="1.0" encoding="ISO-8859-1"?> <jboss-web> <context-root>quote</context-root> <security-domain>LDAPWebClientSecurity</security-domain> <disable-audit>true</disable-audit> </jboss-web>
My Custom Login class
/** * */ package com.xyz.ldaplogin.module; import java.security.acl.Group; import java.util.Hashtable; import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.Attributes; import javax.naming.directory.DirContext; import javax.naming.directory.SearchControls; import javax.naming.directory.SearchResult; import javax.naming.ldap.InitialLdapContext; import javax.security.auth.login.LoginException; import org.apache.log4j.Logger; import org.jboss.security.SimpleGroup; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.spi.UsernamePasswordLoginModule; import com.xyz.ldaplogin.util.GenericLDAPLoginUtil; /** * @author SanthoshK * */ public class GenericLDAPLoginModule extends UsernamePasswordLoginModule { private static Logger LOGGER = Logger .getLogger(GenericLVLDAPLoginModule.class); private String userName; private String password; private void assignUserCredentials() throws LoginException { LOGGER.info("assignUserCredentials - START"); String[] loginCredentials = null; try { loginCredentials = getUsernameAndPassword(); this.userName = loginCredentials[0]; this.password = loginCredentials[1]; } catch (Exception exception) { LOGGER.error("assignUserCredentials Exception : " + exception.getMessage()); throw new LoginException("Invalid Login Credentials : " + loginCredentials); } finally { LOGGER.info("assignUserCredentials - END"); } } @Override public boolean login() throws LoginException { try { LOGGER.info("authenticate - START"); this.assignUserCredentials(); LOGGER.info("Attempting to validate user : [" + this.userName + "]"); GenericLDAPLoginUtil genericLDAPLoginUtil = new GenericLDAPLoginUtil(); Hashtable<String, String> envHTable = genericLDAPLoginUtil .getEnvironmentTable(); DirContext ctx = new InitialLdapContext(envHTable, null); SearchControls searchCtls = new SearchControls(); String returnedAtts[] = { "cn", "givenName" }; searchCtls.setReturningAttributes(returnedAtts); searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE); String searchFilter = "(&(sAMAccountName=" + this.userName + ")(objectCategory=user))"; String searchBase = "DC=group,DC=net"; int totalResults = 0; NamingEnumeration<SearchResult> answer = ctx.search(searchBase, searchFilter, searchCtls); String ouName = null; while (answer.hasMoreElements()) { SearchResult searchResult = answer.next(); totalResults++; ouName = searchResult.getName(); Attributes attrs = searchResult.getAttributes(); if (attrs != null) { try { LOGGER.info(" surname: " + attrs.get("cn").get()); LOGGER.info(" firstname: " + attrs.get("givenName").get()); } catch (NullPointerException e) { LOGGER.info("Errors listing attributes: " + e); } } } LOGGER.info("Total results: " + totalResults); ctx.close(); if (totalResults > 0) { String adminName = ouName + ",dc=group,dc=net"; envHTable = genericLDAPLoginUtil.getEnvironmentTable(adminName, this.password); DirContext ctx1 = new InitialLdapContext(envHTable, null); ctx1.close(); LOGGER.info("-------------> TRUE"); return true; } else { LOGGER.info("-------------> FALSE"); return false; } } catch (NamingException exception) { LOGGER.error("Problem searching directory: " + exception); return false; } catch (Exception exception) { LOGGER.error("Unhandled Exception: " + exception); return false; } finally { LOGGER.info("authenticate - END"); } } @Override protected String getUsersPassword() throws LoginException { assignUserCredentials(); return this.password; } private transient SimpleGroup userRoles = new SimpleGroup("Roles"); @Override protected Group[] getRoleSets() throws LoginException { LOGGER.info("called getRoleSets"); // Add each role to the "Roles" principal userRoles.addMember(new SimplePrincipal("Authenticated_users")); userRoles.addMember(new SimplePrincipal("All_users")); Group[] roleSets = { userRoles }; LOGGER.info("list of roles: " + roleSets); return roleSets; } @Override protected boolean validatePassword(String inputPassword, String expectedPassword) { try { LOGGER.info("validatePassword : [" + inputPassword + "],[" + expectedPassword + "]"); return login(); } catch (LoginException e) { return false; } } }
Now,
Standalone.xml with 2 possible configurations and with it's errors:
Scenario #1:
<subsystem xmlns="urn:jboss:domain:security:1.1"> <security-domains> <security-domain name="LDAPWebClientSecurity" cache-type="default"> <authentication> <login-module code="org.jboss.security.ClientLoginModule" flag="required"/> <login-module code="com.xyz.ldaplogin.module.GenericLDAPLoginModule" flag="required" module="com.xyz.ldap"/> </authentication> </security-domain> <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmUsersRoles" flag="optional"> <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/> <module-option name="realm" value="ApplicationRealm"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> <security-domain name="jboss-web-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> <security-domain name="jboss-ejb-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> </security-domains> </subsystem>
Exception on above scenario:
HTTP Status 403 - Access to the requested resource has been denied type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. JBoss Web/7.0.13.Final
Scenario #2:
<subsystem xmlns="urn:jboss:domain:security:1.1"> <security-domains> <security-domain name="LDAPWebClientSecurity" cache-type="default"> <authentication> <login-module code="com.xyz.ldaplogin.module.GenericLDAPLoginModule" flag="required" module="com.xyz.ldap"/> </authentication> </security-domain> <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmUsersRoles" flag="optional"> <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/> <module-option name="realm" value="ApplicationRealm"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> <security-domain name="jboss-web-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> <security-domain name="jboss-ejb-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> </security-domains> </subsystem>
Exception on Log File:
10:08:17,796 INFO [com.xyz.ldaplogin.module.GenericLDAPLoginModule] (http--127.0.0.1-8180-2) -------------> TRUE 10:08:17,796 INFO [com.xyz.ldaplogin.module.GenericLDAPLoginModule] (http--127.0.0.1-8180-2) authenticate - END 10:08:17,796 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8180-1) Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:361) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0] 10:08:17,796 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8180-2) Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:361) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0]