1 2 Previous Next 22 Replies Latest reply on Nov 26, 2013 7:25 AM by ndipiazza

Exceptions in JAAS Authentication in GUVNOR 7.1

ahmedza May 15, 2013 4:53 AM

Hi,

I have run into a set of errors configuring JAAS Authentication for Guvnor. I have searched a lot on jboss community and for all the solutions nothing is working for me. I am getting either the login popup or I am getting “This User has no permissions setup”. The Guvnor Manual is referring to jboss eap 5 and I am trying to do this on Jboss AS 7.1.

Note : I am unable to find login-config.xml file mentioned in the following link. http://docs.jboss.org/drools/release/5.5.0.Final/drools-guvnor-docs/html/ch14.html . Is guvnor deployment targeted only for JBOSS EAP 5.0 ?

Environment:

Guvnor 5.5.0.Final
JBOSS AS 7.1.0

Files Configured (Only these files I configured):

Standalone.xml
Guvnor.war/WEB-INF/beans.xml
Created users using “add-user.sh”
standalone/configuration/application-users.properties

iitDev2=6c92af2424e69ba3cdc2ca981c9fc02b admin=a085fcb05ca0c1254020e68f4f18217d

standalone/configuration/application-roles.properties

iitDev2=package.developer jbossadmin=admin admin=admin

standalone/configuration/management-users.properties

jbossadmin=af2056c095d503198cb7a1b432c17bad iitAdmin=cbfe43200ac3439fee630ecb45cb83ca iitDev2=76186b89ad376f1b73fd66a632620ba8 Configurations

Standalone.xml :

Only configured below tags. There’s nothing else I changed for the purpose of JAAS Authentication and Guvnor Authorization. Added <security-domain name="drools-guvnor" cache-type="default"> to check if “other” is not working.

<security-domain name="other" cache-type="default">

<login-module code="Remoting" flag="optional">

<module-option name="password-stacking" value="useFirstPass"/>

</login-module>

<login-module code="RealmUsersRoles" flag="required">

<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

<module-option name="realm" value="ApplicationRealm"/>

<module-option name="password-stacking" value="useFirstPass"/>

</login-module>

</authentication>

</security-domain>

<security-domain name="drools-guvnor" cache-type="default">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

<module-option name="realm" value="ApplicationRealm"/>

<module-option name="password-stacking" value="useFirstPass"/>

</login-module>

</authentication>

</security-domain>

Drools-guvnor.war.

beans.xml (Tried 4 different configs as suggested on community)
- Config 1 Error “This User has no permission setup”.

<security:IdentityImpl> <s:modifies/>

<security:authenticatorName>jaasAuthenticator</security:authenticatorName>

</security:IdentityImpl>

<security:jaas.JaasAuthenticator>

<s:modifies/>

<jaasConfigName>other</jaasConfigName>

</security:jaas.JaasAuthenticator>

<guvnorSecurity:RoleBasedPermissionResolver>

<s:modifies/>

<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>

</guvnorSecurity:RoleBasedPermissionResolver>

Config 2 Error “This User has no permission setup”.

<security:IdentityImpl> <s:modifies/>

<security:authenticatorName>jaasAuthenticator</security:authenticatorName>

</security:IdentityImpl>

<security:jaas.JaasAuthenticator>

<s:modifies/>

<security:jaasConfigName>drools-guvnor</security:jaasConfigName>

</security:jaas.JaasAuthenticator>

<guvnorSecurity:RoleBasedPermissionResolver>

<s:modifies/>

<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>

</guvnorSecurity:RoleBasedPermissionResolver>

Config 3 Error“This User has no permission setup”.

<security:IdentityImpl>

<s:modifies/>

<security:authenticatorName>jaasAuthenticator</security:authenticatorName>

</security:IdentityImpl>

<security:jaas.JaasAuthenticator>

<s:modifies/>

<jaasConfigName>other</jaasConfigName>

</security:jaas.JaasAuthenticator>

<guvnorSecurity:RoleBasedPermissionResolver>

<s:modifies/>

<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>

</guvnorSecurity:RoleBasedPermissionResolver>

<s:modifies/>

</component>

I HAVE ALSO ADDED THIS COMPONENT TAG found every where on forums to resolve this issue. I tried Tried without this also but at that time I get LOGIN screen which always says Incorrect User/Password.Is this required or <guvnorSecurity:RoleBasedPermissionResolver> is the only authorization config.

<component name="org.jboss.seam.security.roleBasedPermissionResolver">;

<s:modifies/>

</component>

Kindly help me in this configuration. I can’t find a single authentic document for my environment.

Config3 error.txt.zip 2.3 KB
Config3 beans.xml 3.9 KB
Config2 error.txt.zip 2.1 KB
Config2 beans.xml 3.9 KB
Config1 beans.xml 3.9 KB
Config1 error.txt.zip 2.3 KB
application-users.properties.zip 696 bytes
application-roles.properties.zip 639 bytes
mgmt-users.properties.zip 739 bytes
Guvnor User Permission tab.png 49.9 KB
standalone.xml 15.5 KB

1. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

stanchat May 20, 2013 10:37 AM (in response to ahmedza)

I have the same exact problem. I am testing out some possible remedies and will post them here if I get any meaningful results.
Actions
2. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

ahmedza May 30, 2013 4:49 PM (in response to stanchat)

I have figured it out and now I have got authentication and roles permissions both work properly .
1. In drools-guvnor.war update following seam jars to 3.2.0 version
A. Seam-srcirity-3.1.0.jar
B. Seam-security-api-3.1.0.jar
2. Comment weld exclude tag for seam rule based permission at the end of beans.xml in guvnor wars
3. Use config2 from my question in this thread for beans.xml.

I have tested my configs on jboss-eap-6.0.1 and on JBoss-as-7.1.0
. Make sure you give admin access rights to "admin" user in guvnor's administration tab using demoAuthenticator in beans.xml. after giving admin access then move on to the above given steps.

I have pretty smooth grip on this thing. Anyone Stoll facing issue can reply and will surely help.

Will post my config files too overhere for clarity.
Actions
3. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

stanchat May 31, 2013 8:48 AM (in response to ahmedza)

I have installed the 3.2 jars but now i'm getting the following error in my server log:
07:45:25,157 WARN [org.jboss.security] (http-/127.0.0.1:8081-1) PBOX000234: Invalid or misspelled module option: realm

i'm using the drools-guvnor from option 2
Actions
4. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

ahmedza May 31, 2013 10:36 AM (in response to stanchat)
Please find attached my config files. Check the login-module in security-domain tag "drools-guvnor".

beans.xml 3.6 KB

users.properties.zip 197 bytes

roles.properties.zip 243 bytes

standalone.xml 15.9 KB

1 of 1 people found this helpful
Actions
5. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

sherryyur Jul 4, 2013 7:52 PM (in response to ahmedza)

I am using exactly the same config files. Still get this Error

11:49:24,566 ERROR [org.jboss.seam.security.jaas.JaasAuthenticator] (http--10.66.1.53-8180-1) JAAS authentication failed: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155) [picketbox-4.0.7.Final.jar:4.0.7.Final]
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_45]
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_45]
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_45]
          at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_45]
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_45]
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_45]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_45]
          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_45]
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_45]
          at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_45]
          at org.jboss.seam.security.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:59) [seam-security-3.2.0.Final.jar:3.2.0.Final]
          at org.jboss.seam.security.jaas.JaasAuthenticator$Proxy$_$$_WeldClientProxy.authenticate(JaasAuthenticator$Proxy$_$$_WeldClientProxy.java) [seam-security-3.2.0.Final.jar:3.2.0.Final]
          at org.jboss.seam.security.IdentityImpl.authenticate(IdentityImpl.java:224) [seam-security-3.2.0.Final.jar:3.2.0.Final]
          at org.jboss.seam.security.IdentityImpl.login(IdentityImpl.java:163) [seam-security-3.2.0.Final.jar:3.2.0.Final]
          at org.jboss.seam.security.IdentityImpl$Proxy$_$$_WeldClientProxy.login(IdentityImpl$Proxy$_$$_WeldClientProxy.java) [seam-security-3.2.0.Final.jar:3.2.0.Final]
          at org.drools.guvnor.server.security.SecurityServiceImpl.tryAutoLoginAsGuest(SecurityServiceImpl.java:110) [guvnor-webapp-core-5.5.0.Final.jar:5.5.0.Final]
          at org.drools.guvnor.server.security.SecurityServiceImpl.getCurrentUser(SecurityServiceImpl.java:99) [guvnor-webapp-core-5.5.0.Final.jar:5.5.0.Final]
          at org.drools.guvnor.server.security.SecurityServiceImpl$Proxy$_$$_WeldClientProxy.getCurrentUser(SecurityServiceImpl$Proxy$_$$_WeldClientProxy.java) [guvnor-webapp-core-5.5.0.Final.jar:5.5.0.Final]
          at org.drools.guvnor.server.SecurityServiceServlet.getCurrentUser(SecurityServiceServlet.java:74) [guvnor-webapp-core-5.5.0.Final.jar:5.5.0.Final]
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_45]
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_45]
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_45]
          at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_45]
          at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569) [gwt-servlet-2.4.0.jar:]
          at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208) [gwt-servlet-2.4.0.jar:]
          at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248) [gwt-servlet-2.4.0.jar:]
          at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet-2.4.0.jar:]
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(CatchExceptionFilter.java:65) [solder-impl-3.1.1.Final.jar:3.1.1.Final]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(ServletEventBridgeFilter.java:74) [solder-impl-3.1.1.Final.jar:3.1.1.Final]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
Actions
6. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

sherryyur Jul 5, 2013 1:03 AM (in response to sherryyur)

Actually, the standalone.xml file is different from the one Zahid attached. My one is <server xmlns="urn:jboss:domain:1.2">, Zahid's onee is <server xmlns="urn:jboss:domain:1.3">. Don't know if this caused the error.

I turned on the DEBUG level and get the following information:

16:50:39,041 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http--10.66.1.53-8180-1) Bad password for username=guest
16:50:39,043 ERROR [org.jboss.seam.security.jaas.JaasAuthenticator] (http--10.66.1.53-8180-1) JAAS authentication failed: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]

Don't know where the hell this username=guest comes from.....
Actions
7. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

ndipiazza Aug 3, 2013 12:37 PM (in response to sherryyur)

I can't figure out where the username=guest is coming from either.
Actions
8. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

ahmedza Aug 6, 2013 3:39 PM (in response to ndipiazza)

Hi Nicholas,

Can u please share ur environment and the config files. Beans.xml, user.properties files, and standalone.xml (if jboss). Also tell me ur seam-security.jar version. Have u changed ur seam-security.jar version
Actions
9. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

ndipiazza Aug 6, 2013 4:31 PM (in response to ahmedza)

Hi. Thanks for the response. Here is a link to my issue with all that info https://community.jboss.org/message/831268?tstart=0
Actions
10. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

srikanthmalli Aug 8, 2013 2:49 PM (in response to ahmedza)

I had deployed on tomcat 6.18.0.

I followed your steps but still I cannot see guvnor login screen and get below error. I do not understand where the user guest coming from?

loginModule try to authenticate guest user all the time, since I cannot see login screen cannot enter other username and password.

ERROR 08-08 11:46:46,322 (Logger.java:error:1092)        JAAS authentication fai
led
javax.security.auth.login.LoginException: Security Exception
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:856)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
86)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
80)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:580)
        at org.jboss.seam.security.jaas.JaasAuthenticator.authenticate(JaasAuthe
nticator.java:59)
Actions
11. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

ndipiazza Aug 8, 2013 7:53 PM (in response to srikanthmalli)

There is definitely a bug in 5.5.0.Final that causes this. When I moved down to 5.4.0.Final... I can get the login dialog.
Actions
12. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

srikanthmalli Aug 9, 2013 6:14 PM (in response to ndipiazza)

downgrading to 5.4 worked fine for login but still getting error while logging out, did you have the same problem?

ERROR 09-08 15:13:51,415 (LoggingHelper.java:error:74)   Service method 'public
abstract void org.drools.guvnor.client.rpc.SecurityService.logout()' threw an un
expected exception: java.lang.IllegalStateException: Attempted to inject an Http
Session before it has been initialized.
java.lang.IllegalStateException: Attempted to inject an HttpSession before it ha
s been initialized.
        at org.jboss.solder.servlet.http.ImplicitHttpServletObjectsProducer.getH
ttpSession(ImplicitHttpServletObjectsProducer.java:55)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
........
Actions
13. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

ndipiazza Aug 9, 2013 6:44 PM (in response to srikanthmalli)

Srikanth, can you share your Jaas login module? That will probably explain why that is happening.
Actions
14. Re: Exceptions in JAAS Authentication in GUVNOR 7.1

srikanthmalli Aug 12, 2013 12:30 PM (in response to ndipiazza)

I am using jBoss UsersRolesLoginModule.

drools-guvnor {
org.jboss.security.auth.spi.UsersRolesLoginModule required usersProperties="application-users.properties" rolesProperties="application-roles.properties" debug=true;
};
Actions

1 2 Previous Next

Go to original post