8 Replies Latest reply on May 8, 2002 11:08 AM by Brian Smith

    Problem with Roles in Jetty

    Brian Smith Newbie

      Hi,

      I am having a problem with Roles and the JBoss 2.4.3 / Jetty 3.1.3 distribution.

      We use a custom login module that extends DatabaseServerLoginModule and overrides validatePassword. This works correctly, we see a log message that indicates the user has successfully authenticated via form-based authentication.

      However, when JaasSecurityManager.doesUserHaveRole is invoked, it returns false even though the user is a member of the requested role. I have verified this by overriding getRoleSets in our custom LoginModule and sending the roles for the user to the log.

      The log follows this message. Here are the highlights:

      1) The message "User 'vern1' authenticated" indicates that the user successfully logged in.
      2) The message "getRoleSets = 1" is output from the overridden getRoleSets, and indicates the length of the returned array.
      3) The message "group = Roles" indicates that the name of the returned Group is "Roles"
      4) The message "role = Students org.jboss.security.SimplePrincipal" indicates that the Roles group contains one Principal named Students.

      All of this is just verifying that DatabaseServerLoginModule.getRoleSets is behaving correctly.

      However, the following log message indicates that the user does not have the Role "Students", which is contrary to the above debug output.

      I have delved into the JBoss code a bit to try to determine what is going on here. In org.jboss.security.plugins.JaasSecurityManager.doesUserHaveRole, I output a log message to indicate the result of the call to getActiveSubject(). Surprisingly, this is always returning null, even though the user is logged in. doesUserHaveRole then returns false, which would explain the described failure to recognize a user's role.

      To make all of this worse, our application works fine using Tomcat / JBoss. I suspect that something is wrong with our jboss-web.xml, web.xml or auth.conf. I had to add a realm-name to login-config of web.xml in order to get Jetty to authenticate a user, is there some other configuration that Jetty requires but Tomcat ignores?

      Or, any other ideas?

      Thanks.

      Brian Smith


      Here is the relevant log output:

      [Default SocketListener-4] 2002-03-28 11:40:54,930 User 'vern1' authenticated.
      [Default SocketListener-4] 2002-03-28 11:40:55,145 *** getRoleSets = 1
      [Default SocketListener-4] 2002-03-28 11:40:55,146 *** group = Roles
      [Default SocketListener-4] 2002-03-28 11:40:55,147 *** role = Students org.jboss.security.SimplePrincipal
      [Jetty SocketListener-4] 2002-03-28 11:40:55,206 Security- User: vern1 is authenticated
      [Jetty SocketListener-0] 2002-03-28 11:40:55,227 Security- User: vern1
      [Jetty SocketListener-0] 2002-03-28 11:40:55,228 Security- User: vern1 is NOT in Role: Students
      [Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Teachers
      [Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Admins
      [Jetty SocketListener-0] 2002-03-28 11:40:55,230 WARNING: AUTH FAILURE: role for vern1









      [Default SocketListener-4] 2002-03-28 11:40:54,930 User 'vern1' authenticated.
      [ilsDB SocketListener-4] 2002-03-28 11:40:54,933 No transaction right now.
      [ilsDB SocketListener-4] 2002-03-28 11:40:54,934 Pool ilsDB [1/1/100] gave out pooled object: org.jboss.pool.jdbc.xa.wrapper.XAConnectionImpl@59fb21
      [ilsDB SocketListener-4] 2002-03-28 11:40:55,144 Pool ilsDB [0/1/100] returned object org.jboss.pool.jdbc.xa.wrapper.XAConnectionImpl@59fb21 to the pool.
      [Default SocketListener-4] 2002-03-28 11:40:55,145 *** getRoleSets = 1
      [Default SocketListener-4] 2002-03-28 11:40:55,146 *** group = Roles
      [Default SocketListener-4] 2002-03-28 11:40:55,147 *** role = Students org.jboss.security.SimplePrincipal
      [Jetty SocketListener-4] 2002-03-28 11:40:55,206 Security- User: vern1 is authenticated
      [Jetty SocketListener-0] 2002-03-28 11:40:55,227 Security- User: vern1
      [Jetty SocketListener-0] 2002-03-28 11:40:55,228 Security- User: vern1 is NOT in Role: Students
      [Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Teachers
      [Jetty SocketListener-0] 2002-03-28 11:40:55,229 Security- User: vern1 is NOT in Role: Admins
      [Jetty SocketListener-0] 2002-03-28 11:40:55,230 WARNING: AUTH FAILURE: role for vern1






        • 1. Re: Problem with Roles in Jetty
          Brian Smith Newbie

          Whoops, sorry about the double pasting of the log.

          In further analyses, it looks like Jetty is checking roles on a different thread from the authentication. SocketListener-4 does the auth, and SocketListener-0 is checking the role. As getActiveSubject() depends on thread-local storage, that would explain why it can't find the current user.

          Which begs the question: "Why is it doing this?"

          • 2. Re: Problem with Roles in Jetty FORM-based authentication
            Brian Smith Newbie

            OK, here's some more info on the problem.

            I have created a small 'hello, world' test application that reproduces the problem I was having with our system.

            This test app works when using BASIC authentication, but fails when using FORM authentication.

            When using BASIC authentication, the user is able to successfully login and his Role membership is recognized. When I change web.xml to use FORM authentication, the user can authenticate but system does not recognize his Role.


            Here is the log for BASIC auth:

            [INFO,JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@56b93a
            [INFO,JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@798d58
            [INFO,JaasSecurityManagerService] Added hello, org.jboss.security.plugins.SecurityDomainContext@2ea710 to map
            [INFO,JettyService] Security- User: bsmith
            [INFO,JettyService] Security- created JBossUserRealm::User: bsmith
            [INFO,JettyService] Security- User: bsmith is authenticated
            [INFO,JettyService] Security- User: bsmith is in Role: Foo


            Here is the log for FORM auth:

            [INFO,JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@1c6163
            [INFO,JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@34cfb
            [INFO,JaasSecurityManagerService] Added hello, org.jboss.security.plugins.SecurityDomainContext@330fb9 to map
            [INFO,JettyService] Security- User: bsmith
            [INFO,JettyService] Security- created JBossUserRealm::User: bsmith
            [INFO,JettyService] Security- User: bsmith is authenticated
            [INFO,JettyService] Security- User: bsmith
            [WARN,JettyService] Security- User: bsmith is NOT in Role: Foo
            [WARN,JettyService] Security- User: bsmith is NOT in Role: Bar
            [WARN,JettyService] Security- User: bsmith is NOT in Role: Baz
            [WARN,JettyService] WARNING: AUTH FAILURE: role for bsmith

            So, without being overly presumptuous, it looks like form-based authentication is broken in JBoss 2.4.4 / Jetty 3.1.3?? In reviewing the change log for Jetty, there appears to have been some work checked in for resolving form-based authentication problems. Especially interesting is the comment for 3.1.3:
            + Improved FORM auth handling of role failure.

            Anybody out there that knows how to fix this problem?

            -brian

            PS: Config and DDs

            Here is my auth.conf:

            hello {
            org.jboss.security.auth.spi.DatabaseServerLoginModule required
            dsJndiName="java:/ilsDB"
            principalsQuery="select password from hello_user where username=?"
            rolesQuery="select grpname, 'Roles' from hello_user where username=?"
            ;
            };


            Here is my web.xml:

            <?xml version="1.0"?>
            <web-app>

            <display-name>Hello World</display-name>

            <!-- define servlets to register with the server -->


            <servlet-name>HelloServlet</servlet-name>
            <servlet-class>com.ignite.hello.HelloServlet</servlet-class>



            <!-- define URL mapping to servlets -->



            <servlet-mapping>
            <servlet-name>HelloServlet</servlet-name>
            <url-pattern>/servlet/hello</url-pattern>
            </servlet-mapping>


            <!-- configure the session parameters -->
            <session-config>
            <session-timeout>30</session-timeout>
            </session-config>


            <!-- default files for a directory -->
            <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
            <welcome-file>index.html</welcome-file>
            </welcome-file-list>



            <!-- security constraint -->

            <security-constraint>
            <web-resource-collection>
            <web-resource-name>All</web-resource-name>
            Declarative security tests
            <url-pattern>/servlet/*</url-pattern>
            <http-method>HEAD</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            </web-resource-collection>
            <auth-constraint>
            <role-name>Foo</role-name>
            <role-name>Bar</role-name>
            <role-name>Baz</role-name>
            </auth-constraint>
            <user-data-constraint>
            no description
            <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
            </security-constraint>

            <!-- configure the method of logging in -->
            <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>Gondor</realm-name>

            <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
            </form-login-config>

            </login-config>

            <!-- security-role -->

            <security-role>
            <role-name>Foor</role-name>
            </security-role>

            <security-role>
            <role-name>Bar</role-name>
            </security-role>

            <security-role>
            <role-name>Baz</role-name>
            </security-role>

            </web-app>


            jboss-web.xml:

            <?xml version="1.0"?>
            <jboss-web>
            <security-domain>java:/jaas/hello</security-domain>
            </jboss-web>

            • 3. Re: Problem with Roles in Jetty FORM-based authentication
              Jules Gosnell Novice


              Firstly - There is a new JBoss/Jetty release on SourceForge:
              http://prdownloads.sourceforge.net/jboss/JBoss-2.4.4_Jetty-3.1.7-1.zip


              Secondly, you could try this on JBoss3.0 :

              http://sourceforge.net/cvs/?group_id=22866


              If it works in 3.0 I will backport it for you.

              If it doesn't, we will fix it and backport it.


              How does that sound ?


              Jules

              • 4. Re: Problem with Roles in Jetty FORM-based authentication
                Jeroen Sikking Newbie

                Hi,

                Has this problem been solved yet? I'm having trouble with it aswell. I've tried the JBoss/Jetty release you mentioned but to no avail. It does seem to work with JBoss 3.0.

                • 5. Re: Problem with Roles in Jetty FORM-based authentication
                  Brian Smith Newbie

                  Thanks, Jules. This project was pushed aside, I hope to begin working on it again soon.

                  I see from oxcart's post that it does work in 3.0. Once I hear of a backport to 2.x, I'll reopen the porting effort.

                  Thanks.

                  -brian

                  • 6. Re: Problem with Roles in Jetty FORM-based authentication
                    Brian Smith Newbie

                    Is there any update on getting a JBoss 2.4.x / Jetty build that properly handles form validation? We're going to be looking at this over the next few weeks.

                    Thanks!

                    -brian

                    • 7. Re: Problem with Roles in Jetty FORM-based authentication
                      Chris Harris Newbie

                      I've run into this problem too - exactly the same.

                      We use JBoss2.4.4 with Jetty 3.1.7 and it has the threading problem you mentioned. This problem also made its way onto the jetty-discuss yahoo group but didn't seem to be resolved.

                      A workaround for the short-term is to use basic auth instead of form, but this is ugly. JBoss 2.4.5 (out any day now) comes with Jetty 4.0 which should be better (I haven't tested) but is a servlet 2.3 engine and may give you other problems w.r.t. the servlet spec.

                      So I don't think there's a solution yet.

                      • 8. Re: Problem with Roles in Jetty FORM-based authentication
                        Brian Smith Newbie

                        That's not much of a workaround when form-based authentication is a product requirement.

                        :)