1 Reply Latest reply on Jan 17, 2013 6:02 AM by Sans Kum

    JBoss 7.1.1.Final - Custom Login configuration Problem - all modules ignored / Access to the requested resource has been denied

    Sans Kum Newbie

      Hi,

       

      I have been migrating an applicaiton from JBoss 3.x to JBoss AS 7.1.1.Final.

       

      Having some strange errors on Custom Login Configuration:

       

      jboss-web.xml

       

      <?xml version="1.0" encoding="ISO-8859-1"?>
      <jboss-web>
          <context-root>quote</context-root>
          <security-domain>LDAPWebClientSecurity</security-domain>
          <disable-audit>true</disable-audit>
      </jboss-web>
      

       

      My Custom Login class

       

      /**
       * 
       */
      package com.xyz.ldaplogin.module;
      
      import java.security.acl.Group;
      import java.util.Hashtable;
      
      import javax.naming.NamingEnumeration;
      import javax.naming.NamingException;
      import javax.naming.directory.Attributes;
      import javax.naming.directory.DirContext;
      import javax.naming.directory.SearchControls;
      import javax.naming.directory.SearchResult;
      import javax.naming.ldap.InitialLdapContext;
      import javax.security.auth.login.LoginException;
      
      import org.apache.log4j.Logger;
      import org.jboss.security.SimpleGroup;
      import org.jboss.security.SimplePrincipal;
      import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
      
      import com.xyz.ldaplogin.util.GenericLDAPLoginUtil;
      
      /**
       * @author SanthoshK
       * 
       */
      public class GenericLDAPLoginModule extends UsernamePasswordLoginModule {
      
          private static Logger LOGGER = Logger
                  .getLogger(GenericLVLDAPLoginModule.class);
      
          private String userName;
          private String password;
      
          private void assignUserCredentials() throws LoginException {
              LOGGER.info("assignUserCredentials - START");
              String[] loginCredentials = null;
              try {
                  loginCredentials = getUsernameAndPassword();
                  this.userName = loginCredentials[0];
                  this.password = loginCredentials[1];
              } catch (Exception exception) {
                  LOGGER.error("assignUserCredentials Exception : "
                          + exception.getMessage());
                  throw new LoginException("Invalid Login Credentials : "
                          + loginCredentials);
              } finally {
                  LOGGER.info("assignUserCredentials - END");
              }
          }
      
          @Override
          public boolean login() throws LoginException {
      
              try {
                  LOGGER.info("authenticate - START");
      
                  this.assignUserCredentials();
                  LOGGER.info("Attempting to validate user : [" + this.userName + "]");
      
                  GenericLDAPLoginUtil genericLDAPLoginUtil = new GenericLDAPLoginUtil();
      
                  Hashtable<String, String> envHTable = genericLDAPLoginUtil
                          .getEnvironmentTable();
      
                  DirContext ctx = new InitialLdapContext(envHTable, null);
                  SearchControls searchCtls = new SearchControls();
                  String returnedAtts[] = { "cn", "givenName" };
                  searchCtls.setReturningAttributes(returnedAtts);
                  searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      
                  String searchFilter = "(&(sAMAccountName=" + this.userName
                          + ")(objectCategory=user))";
                  String searchBase = "DC=group,DC=net";
      
                  int totalResults = 0;
                  NamingEnumeration<SearchResult> answer = ctx.search(searchBase,
                          searchFilter, searchCtls);
                  String ouName = null;
                  while (answer.hasMoreElements()) {
                      SearchResult searchResult = answer.next();
                      totalResults++;
                      ouName = searchResult.getName();
                      Attributes attrs = searchResult.getAttributes();
                      if (attrs != null) {
                          try {
                              LOGGER.info(" surname: " + attrs.get("cn").get());
                              LOGGER.info(" firstname: "
                                      + attrs.get("givenName").get());
                          } catch (NullPointerException e) {
                              LOGGER.info("Errors listing attributes: " + e);
                          }
                      }
                  }
                  LOGGER.info("Total results: " + totalResults);
                  ctx.close();
                  if (totalResults > 0) {
                      String adminName = ouName + ",dc=group,dc=net";
                      envHTable = genericLDAPLoginUtil.getEnvironmentTable(adminName,
                              this.password);
      
                      DirContext ctx1 = new InitialLdapContext(envHTable, null);
                      ctx1.close();
                      LOGGER.info("-------------> TRUE");
                      return true;
                  } else {
                      LOGGER.info("-------------> FALSE");
                      return false;
                  }
              } catch (NamingException exception) {
                  LOGGER.error("Problem searching directory: " + exception);
                  return false;
              } catch (Exception exception) {
                  LOGGER.error("Unhandled Exception: " + exception);
                  return false;
              } finally {
                  LOGGER.info("authenticate - END");
              }
          }
      
          @Override
          protected String getUsersPassword() throws LoginException {
              assignUserCredentials();
              return this.password;
          }
      
          private transient SimpleGroup userRoles = new SimpleGroup("Roles");
      
          @Override
          protected Group[] getRoleSets() throws LoginException {
              LOGGER.info("called getRoleSets");
      
              // Add each role to the "Roles" principal
              userRoles.addMember(new SimplePrincipal("Authenticated_users"));
              userRoles.addMember(new SimplePrincipal("All_users"));
      
              Group[] roleSets = { userRoles };
              LOGGER.info("list of roles: " + roleSets);
              return roleSets;
          }
      
          @Override
          protected boolean validatePassword(String inputPassword,
                  String expectedPassword) {
              try {
                  LOGGER.info("validatePassword : [" + inputPassword + "],["
                          + expectedPassword + "]");
                  return login();
              } catch (LoginException e) {
                  return false;
              }
          }
      }
      

       

      Now,

       

      Standalone.xml with 2 possible configurations and with it's errors:

       

      Scenario #1:

      <subsystem xmlns="urn:jboss:domain:security:1.1">
                  <security-domains>
                      <security-domain name="LDAPWebClientSecurity" cache-type="default">
                          <authentication>
                              <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
                              <login-module code="com.xyz.ldaplogin.module.GenericLDAPLoginModule" flag="required" module="com.xyz.ldap"/>
                          </authentication>
                      </security-domain>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmUsersRoles" flag="optional">
                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                  <module-option name="realm" value="ApplicationRealm"/>
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                  </security-domains>
              </subsystem>
      

       

      Exception on above scenario:

      HTTP Status 403 - Access to the requested resource has been denied
      
      type Status report
      message Access to the requested resource has been denied
      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
      
      JBoss Web/7.0.13.Final
      

       

      Scenario #2:

       

      <subsystem xmlns="urn:jboss:domain:security:1.1">
                  <security-domains>
                      <security-domain name="LDAPWebClientSecurity" cache-type="default">
                          <authentication>
                              <login-module code="com.xyz.ldaplogin.module.GenericLDAPLoginModule" flag="required" module="com.xyz.ldap"/>
                          </authentication>
                      </security-domain>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmUsersRoles" flag="optional">
                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                  <module-option name="realm" value="ApplicationRealm"/>
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                  </security-domains>
              </subsystem>
      

       

      Exception on Log File:

      10:08:17,796 INFO  [com.xyz.ldaplogin.module.GenericLDAPLoginModule] (http--127.0.0.1-8180-2) -------------> TRUE
      10:08:17,796 INFO  [com.xyz.ldaplogin.module.GenericLDAPLoginModule] (http--127.0.0.1-8180-2) authenticate - END
      10:08:17,796 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8180-1) Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0]
          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:361) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
          at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0]
      
      10:08:17,796 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8180-2) Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0]
          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0]
          at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:361) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
          at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0]
      
      
        • 1. Re: JBoss 7.1.1.Final - Custom Login configuration Problem - all modules ignored / Access to the requested resource has been denied
          Sans Kum Newbie

          Hi,

           

          Thanks all. Found the problem. While migrating, I have pickedup wrong Custom Login Module. Fixed it by....

           

          package com.xyz.ldaplogin.module;
          
          import java.security.acl.Group;
          import java.util.Hashtable;
          
          import javax.naming.NamingEnumeration;
          import javax.naming.NamingException;
          import javax.naming.directory.Attributes;
          import javax.naming.directory.DirContext;
          import javax.naming.directory.SearchControls;
          import javax.naming.directory.SearchResult;
          import javax.naming.ldap.InitialLdapContext;
          import javax.security.auth.login.LoginException;
          
          import org.apache.log4j.Logger;
          import org.jboss.security.SimpleGroup;
          import org.jboss.security.SimplePrincipal;
          import org.jboss.security.auth.spi.LdapExtLoginModule;
          
          import com.xyz.ldaplogin.util.GenericLDAPLoginUtil;
          
          /**
           * @author SanthoshK
           * 
           */
          public class GenericLVLDAPLoginModule extends LdapExtLoginModule {
          
              private static Logger LOGGER = Logger
                      .getLogger(GenericLVLDAPLoginModule.class);
          
              private String xyzUserName;
              private String xyzUserName;
          
              private void assignUserCredentials() throws LoginException {
                  LOGGER.info("assignUserCredentials - START");
                  String[] loginCredentials = null;
                  try {
                      loginCredentials = getUsernameAndPassword();
                      this.xyzUserName = loginCredentials[0];
                      this.xyzUserName = loginCredentials[1];
                  } catch (Exception exception) {
                      LOGGER.error("assignUserCredentials Exception : " + exception);
                      throw new LoginException("Invalid Login Credentials : " + loginCredentials);
                  } finally {
                      LOGGER.info("assignUserCredentials - END");
                  }
              }
          
              @Override
              protected String bindDNAuthentication(InitialLdapContext ctx, String user, Object credential, String baseDN, String filter) throws NamingException {
                  return super.bindDNAuthentication(ctx, user, credential, baseDN, filter);
              }
          
              @Override
              protected void rolesSearch(InitialLdapContext ctx, SearchControls constraints, String user, String userDN, int recursionMax, int nesting) throws NamingException {
                  super.rolesSearch(ctx, constraints, user, userDN, recursionMax, nesting);
              }
          
              @Override
              protected boolean validatePassword(String inputPassword, String expectedPassword) {
                  return validation();
              }
          
              @Override
              protected String getUsersPassword() throws LoginException {
                  return "";
              }
          
              private transient SimpleGroup userRoles = new SimpleGroup("Roles");
          
              @Override
              protected Group[] getRoleSets() throws LoginException {
                  // Add each role to the "Roles" principal (Ref web.xml)
                  userRoles.addMember(new SimplePrincipal("Authenticated_users"));
                  Group[] roleSets = { userRoles };
                  return roleSets;
              }
          
              private boolean validation() {
          
                  try {
                      LOGGER.info("authenticate - START");
          
                      this.assignUserCredentials();
                      LOGGER.info("Attempting to validate user : [" + this.xyzUserName + "]");
          
                      GenericLDAPLoginUtil genericLDAPLoginUtil = new GenericLDAPLoginUtil();
          
                      Hashtable<String, String> envHTable = genericLDAPLoginUtil.getEnvironmentTable();
          
                      DirContext ctx = new InitialLdapContext(envHTable, null);
                      SearchControls searchCtls = new SearchControls();
                      String returnedAtts[] = { "cn", "givenName" };
                      searchCtls.setReturningAttributes(returnedAtts);
                      searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
          
                      String searchFilter = "(&(sAMAccountName=" + this.xyzUserName
                              + ")(objectCategory=user))";
                      String searchBase = "DC=group,DC=net";
          
                      int totalResults = 0;
                      NamingEnumeration<SearchResult> answer = ctx.search(searchBase,
                              searchFilter, searchCtls);
                      String ouName = null;
                      while (answer.hasMoreElements()) {
                          SearchResult searchResult = answer.next();
                          totalResults++;
                          ouName = searchResult.getName();
                          Attributes attrs = searchResult.getAttributes();
                          if (attrs != null) {
                              try {
                                  LOGGER.info(" surname: " + attrs.get("cn").get());
                                  LOGGER.info(" firstname: "
                                          + attrs.get("givenName").get());
                              } catch (NullPointerException e) {
                                  LOGGER.info("Errors listing attributes: " + e);
                              }
                          }
                      }
                      LOGGER.info("Total results: " + totalResults);
                      ctx.close();
                      if (totalResults > 0) {
                          String adminName = ouName + ",dc=group,dc=net";
                          envHTable = genericLDAPLoginUtil.getEnvironmentTable(adminName,
                                  this.xyzUserName);
          
                          DirContext ctx1 = new InitialLdapContext(envHTable, null);
                          ctx1.close();
                          LOGGER.info("AUTHENTICATION ["+this.xyzUserName+"] : PASS");
                          return true;
                      } else {
                          LOGGER.info("AUTHENTICATION ["+this.xyzUserName+"] : FAILED");
                          return false;
                      }
                  } catch (NamingException exception) {
                      LOGGER.error("Problem searching directory: ", exception);
                      return false;
                  } catch (Exception exception) {
                      LOGGER.error("Unhandled Exception: ", exception);
                      return false;
                  } finally {
                      LOGGER.info("authenticate - END");
                  }
              }
          }