0 Replies Latest reply on Oct 28, 2003 3:54 AM by Binoy Shah

    JBoss 3.2.1+Jetty to JBoss 3.2.2+Tomcat: BASIC auth doesnt w

    Binoy Shah Newbie

      Hello,

      I am working on JBoss 3.2.1 and using Jetty as web-container

      We have our application secured by BASIC auth-method and on accessing
      the servlet on JBoss 3.2.1 + Jetty every thing is working perfectly fine, ie Basic Authentication
      takes place as the browser prompts for the authentication dialogue box.

      But while trying to migrate to JBoss 3.2.2 which comes integrated by default with Tomcat 4.1x,
      the deployment is successful and the main context displays the welcome login page
      But when i try to use the application which needs Authentication , the browser doesnt ask
      for credentials , Browser DOES NOT prompt me with
      the username/password dialogue box, and the EJB Container reports the authentication failure.

      server.log
      ******************************************************************************
      2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
      2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
      ...
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      ...
      at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:119)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
      ...
      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:220)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      ...
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
      at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
      ...
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
      at java.lang.Thread.run(Thread.java:534)
      2003-10-28 14:13:13,854 INFO [STDOUT] RemoteException : java.rmi.ServerException: EJBException:; nested exception is:
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
      Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
      2003-10-28 14:13:13,870 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[SecureLoginUIServlet]: Servlet.service() for servlet SecureLoginUIServlet threw exception
      java.lang.NullPointerException
      at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:149)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
      ...
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)

      ******************************************************************************

      web.xml
      ******************************************************************************
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>servlet</web-resource-name>
      Declarative security tests
      <url-pattern>/PracticeVeterinary/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      Any user with a valid login
      <role-name>ValidUser</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>example2</realm-name>
      </login-config>
      <security-role>
      A user allowed to invoke echo methods
      <role-name>Echo</role-name>
      </security-role>
      ******************************************************************************

      jboss-web.xml
      ******************************************************************************
      <jboss-web>
      <security-domain>java:/jaas/example2</security-domain>
      ....
      </jboss-web>
      ******************************************************************************

      login-conf.xml
      ******************************************************************************
      <application-policy name = "example2">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name = "dsJndiName">java:/sscdb</module-option>
      <module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
      <module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
      </login-module>

      </application-policy>
      ******************************************************************************

      ejb-jar.xml
      ******************************************************************************
      ...

      SYS.SecureLoginBean
      <display-name>SecureLoginBean</display-name>
      <ejb-name>SecureLoginBean</ejb-name>
      SYS.ProblemDomain.SecureLoginHome
      SYS.ProblemDomain.SecureLogin
      <ejb-class>SYS.ProblemDomain.SecureLoginBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>
      <resource-ref>
      <res-ref-name>jdbc/sscdb</res-ref-name>
      <res-type>javax.sql.DataSource</res-type>
      <res-auth>Container</res-auth>
      </resource-ref>

      <assembly-descriptor>
      <security-role>
      <role-name>SuperUser</role-name>
      </security-role>
      <security-role>
      <role-name>ValidUser</role-name>
      </security-role>
      </assembly-descriptor>
      ...
      ******************************************************************************

      Why does the above application work with Jboss 3.2.1 + Jetty and DOesnt work with
      JBoss 3.2.2 + Tomcat.

      It fails to produce an authentication dialog box (BASIC) auth when it is run on Jboss+Tomcat version


      Any help/guideline will be highly appreciated

      swatkat