7 Replies Latest reply on May 8, 2002 10:44 AM by Honda Civic

    Configuring security

    Jason Vasquez Newbie

      Hi all --

      Using the JBoss 2.4.3/Tomcat4 bundle, I can't seem to get authentication working. (I'm using a custom JAAS login module that is known to work)

      Whenver I visit a secure area with the browser, all I get is a "403 Access denied" message, and am never prompted for a login. The JBoss console shows this:

      [Default] Bad password for username=null

      Any ideas as to what might be going on here?

        • 1. Re: Configuring security
          Jason Vasquez Newbie

          I should add that this only occurrs with BASIC authentication. Form based authentication appears to be OK.

          • 2. Re: Configuring security
            Jason Vasquez Newbie

            Even more info:

            Now I'm using Form authentication, since Basic still doesn't work. For a test, I have an 'index.jsp' in my secured directory. I can get authenticated and get to it ok, but I'm seeing some really weird behavior.

            The index.jsp references a stylesheet and 2 images in its HTML. For some reason, I appear to be randomly authorized or not authorized for these other files (sometimes one of the images will be blank, or the stylesheet is obviously missing). The odd thing is that hitting refresh comes up with a different combination every time (I've been repeatedly pressing refresh). I'll see messages in the JBoss console saying that my userid is authenticated (at first) and then authorized, with messages about not being authorized because of a missing role -- yet this userid is a member of that role, and must be to even get to this point.

            -jason

            • 3. Re: Configuring security
              Clayton Wheeler Newbie

              I saw the same random authorization failures. I'm not too familiar with JBoss or Catalina internals, but it looked like the problem was improper propagation of the security data when testing authorization for a user with Catalina-cached authentication.

              I worked around this by using a modified org.apache.catalina.authenticator.FormAuthenticator which does not perform the first (principal != null) test in its authenticate() method.

              This successfully bypasses Catalina's caching of Principals, instead retrieving them from the JBossSX layer (and its cache) each time. I believe this is necessary to reliably have a properly initialized Subject at authorization time.

              I still haven't figured out why it would only fail about 10-20% of the time. My guess is improper sharing of state between threads, but it's hard to tell. Perhaps a JBossSX expert could shed some light on this?

              By the way, FormAuthenticator is inexplicably final, so I had to copy-and-paste it. To use your own Authenticator, you need to change org/apache/catalina/startup/Authenticators.properties, which maps authentication modes to Authenticators.

              • 4. Re: Configuring security
                Jason Vasquez Newbie

                Hmmm...since it's more than just me seeing this, I went ahead and filed a bug report ( http://sourceforge.net/tracker/index.php?func=detail&aid=475156&group_id=22866&atid=376685 ) -- after I filed that I noticed another bug report talking about problems with simultaneous requests (first request goes ok, other requests taking place at the same time fail) So, we might be seeing a weird manifestation of this bug: http://sourceforge.net/tracker/index.php?func=detail&aid=471225&group_id=22866&atid=376685 .

                • 5. Re: Configuring security
                  Jason Vasquez Newbie

                  claytonw -- thanks for the pointer...for now, I've gotten BASIC authentication working, and I'm not seeing the same authorization probs. (By the way, I just looked at the jakarta catalina CVS, and it looks ilke they've removed the final protection on that FormAuthenticator class)

                  • 6. Re: Configuring security
                    Clayton Wheeler Newbie

                    Glad that worked for you. I've narrowed the problem down a bit; Tomcat's Principal caching is the problem, but it can be disabled. Catalina's abstract AuthenticatorBase provides a setCache(boolean) method, and calling setCache(false) suffices to cause reauthentication against the JBossSecurityMgrRealm on each visit without needing to modify the authenticators themselves. I've added some code to EmbeddedCatalinaServiceSX to do that.

                    When I get a chance, I'll clean things up and submit patches for that and Ajp13 integration with Apache. Next on my list is Tomcat SingleSignOn support...

                    • 7. Re: Configuring security
                      Honda Civic Newbie

                      I am also trying to extend FormAuthenticator. Not exactly know what to do. Can you post an example of how you derived from FormAuthenticator in a skeleton, with all specific details removed? Also, what else did you change to get it to work, any changes to any of the descriptor files.


                      Thanks in advance.