2 Replies Latest reply on Dec 5, 2014 8:20 AM by Alexis Araya

    Error Jass CustomLogin Jboss 7

    Alexis Araya Newbie

      hello,
      I tried for hours and I have not been able to find the solution.
      Jboss fails to authorize me by roles.

      the login is correct,
      well but does not assign roles


      AGLoginModule.java

      AGLoginModule implements LoginModule {
           protected Subject _subject;
           protected CallbackHandler _callbackHandler;
           protected Map _sharedState;
      ....
      
          public void initialize(Subject subject, CallbackHandler cbh,Map sharedState, Map options) {
             this._subject = subject;
             this._callbackHandler = cbh;
             this._sharedState = sharedState;
             this._options = options;
             .....
             ....
          }
           public boolean login() throws LoginException {
           ...
           ...
           }
      
           
           public boolean commit() throws LoginException {
                userPrincipal = new UserPrincipal(_username);
                 _subject.getPrincipals().add(userPrincipal);
      
                rolePrincipal = new RolePrincipal("ADMG");
                 _subject.getPrincipals().add(rolePrincipal);
      
                  return true;
      
           }
      }
      

       

      web.xml

       ..
      <security-constraint>
            <web-resource-collection>
               <web-resource-name>Permisos Administrador Garantias</web-resource-name>
                <url-pattern>/faces/default/Inicio.jspx</url-pattern>
                <url-pattern>/faces/seguridad/SeteosPersonales.jspx</url-pattern>
              </web-resource-collection>
            <auth-constraint>
               <role-name>ADMG</role-name>
            </auth-constraint> 
      
        <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>jBossJaasPostgreRealm</realm-name>
            <form-login-config>
               <form-login-page>/seguridad/Login.jsp</form-login-page>
               <form-error-page>/seguridad/Login.jsp</form-error-page>
            </form-login-config>
         </login-config>
      

       

      jboss-web.xml

       

      <?xml version="1.0" encoding="UTF-8" ?>
      <jboss-web>
         <security-domain>jBossJaasPostgreRealm</security-domain>
          <context-root>/AGPROD</context-root>
      </jboss-web>
      

       

      standalone.xml

       <subsystem xmlns="urn:jboss:domain:security:1.1">
                  <security-domains>
                      <security-domain name="jBossJaasPostgreRealm" cache-type="default">
                          <authentication>
                              <login-module code="com.sag.extensiones.login.AGLoginModule" flag="required">
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                  </security-domains>
              </subsystem>
      

       

      server.log

      you can see the following Checking roles GenericPrincipal[admin()] ??

      should be : Checking roles GenericPrincipal[admin([ADMG])] ???

       

      10:13:52,489 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-3) defaultLogin, lc=javax.security.auth.login.LoginContext@2bfb3ddf, subject=Subject(2073760263).principals=com.sag.extensiones.login.UserPrincipal@29149431(com.sag.extensiones.login.UserPrincipal@112dd105)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@19ed6258)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@2fd38cb4)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@69ba95f3)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@58cababf)
      10:13:52,492 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-3) updateCache, inputSubject=Subject(2073760263).principals=com.sag.extensiones.login.UserPrincipal@29149431(com.sag.extensiones.login.UserPrincipal@112dd105)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@19ed6258)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@2fd38cb4)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@69ba95f3)com.sag.extensiones.login.RolePrincipal@1458939922(com.sag.extensiones.login.RolePrincipal@58cababf), cacheSubject=Subject(1705672
      10:13:52,497 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-3) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@1c8106fa
      10:13:52,497 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-3) End isValid, true
      10:13:52,499 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-3) User: admin is authenticated
      10:13:52,499 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-3) Authentication of 'admin' was successful
      10:13:52,500 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-3) Redirecting to original '/SAGPROD/faces/default/Inicio.jspx'
      10:13:52,530 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-3)  Calling hasUserDataPermission()
      10:13:52,531 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-3)   User data constraint has no restrictions
      10:13:52,532 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-3)  Calling authenticate()
      10:13:52,532 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-3) Restore request from session '4iBeShC-W4wurYGHkXmKfWTC.undefined'
      10:13:52,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-3) Authenticated 'admin' with type 'FORM'
      10:13:52,534 DEBUG [org.apache.tomcat.util.http.Parameters] (http--127.0.0.1-8080-3) Set query string encoding to null
      10:13:52,535 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-3) Proceed to restored request
      10:13:52,536 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-3)  Calling accessControl()
      10:13:52,538 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-3)   Checking roles GenericPrincipal[admin()]
      10:13:52,551 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-3) El usuario admin NO desempeña el papel de ADMG
      10:13:52,551 TRACE [org.jboss.as.web.security] (http--127.0.0.1-8080-3) hasRole:RealmBase says:false::Authz framework says:true:final=false
      10:13:52,552 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-3) No role found:  ADMG
      

       

      Thanks for the help

        • 1. Re: Error Jass CustomLogin Jboss 7
          raylite3 Apprentice

          Try adding a group (impl of java.security.acl.Group) called 'Roles' and add principals (impl of java.security.Principal) to it with the names of the roles you want to assign.

           

          MyGroup roles = new MyGroup("Roles");

          roles.addMember(new MyRole("role1"));

           

          _subject.getPrincipals().add(roles);

           

          You should also add a group called "CallerPrincipal" so that the identity is accessible from the session context.

           

          MyGroup callerPrincipal = new MyGroup("CallerPrincipal");

          callerPrincipal.addMember(new MyPrincipal("admin"));

           

          _subject.getPrincipals().add(callerPrincipal);

          • 2. Re: Error Jass CustomLogin Jboss 7
            Alexis Araya Newbie

            Thank you Now Works.  

             

            Best Regards

             

            Alexis