1 Reply Latest reply on Apr 13, 2006 5:38 AM by boekhoffm

Securing statis content in external dirs

uglyhead69 Nov 15, 2004 6:07 PM

I successfully followed the instructions in the wiki to get an external directory to serve static content through JBoss 3.2.6

Now I need to secure access to that content through my JBoss security configuration. I figured this would be done through the Realm sub-element of the Context element where I defined the external directory, but I can't seem to get the configuration correct.

Is there a way I can perhaps modify the default web.xml to include the path defined in the Context element? If so, where would the accompanying jboss-web.xml go?

Or am I seeking to do the impossible, if so, I have another solution, but it involves coding, so I'd rather find something else.

1. Re: Securing statis content in external dirs

boekhoffm Apr 13, 2006 5:38 AM (in response to uglyhead69)

Hi. I am trying to do the same as you. I have updated
.../server/all/deploy/jbossweb-tomcat55.sar/server.xml with:

<Context
 path="/photos"
 docBase="l:/photos"
 override="true"
/>

Yes it works, but how to secure it?

What I've found is that if you create <external-path>/WEB-INF/web.xml
with just this in it:

<web-app>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Share Guests</web-resource-name>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>McbShareRoles</role-name>
 </auth-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>This is the title</realm-name>
 </login-config>

 <security-role>
 <role-name>McbShareRoles</role-name>
 </security-role>
</web-app>

and if you create "users.properties" and "roles.properties" in the
.../server/all/conf directory (see the .../conf/props/jmx*.properties
files for the syntax)

and if you check that the "other" JAAS thing is in place in
server/all/conf/login-config.xml (I think the names of the property
files are defaulted but I altered my version to be explicit):

...
<application-policy name="other">
 <authentication>
 <login-module
 code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag="required"
 >
 <module-option name="usersProperties">users.properties</module-option>
 <module-option name="rolesProperties">roles.properties</module-option>
 <module-option name="unauthenticatedIdentity">anonymous</module-option>
 </login-module>
 </authentication>
</application-policy>

and if you check that the "other" thing is the default thing for Tomcat, in
.../server/all/deploy/jbossweb-tomcat55.sar/META-INF/jboss-service.xml:

...
<attribute name="DefaultSecurityDomain">java:/jaas/other</attribute>
...

and if you want to be really pedantic and sure, you create
<external-directory>/WEB-INF/jboss-web.xml:

<jboss-web>
 <security-domain>java:/jaas/other</security-domain>
</jboss-web>

If you do all the above, you will find that the browser prompts you for
credentials. Unfortunately, nothing you enter will allow access as the
authentication always fails, with the following in the log:

2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResources(jndi.properties)
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jnp.interfaces.NamingContextFactory, false)
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jnp.interfaces.NamingContextFactory)
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11}
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11}
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11}
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test

So... Then I tried putting the WEB-INF tree into a new directory (hoping
that the "context.xml" described at the end of this rant would work):
.../server/all/deploy/name-of-my-external-directory.war

Well, lo and behold, the authentication bit works no worries.
Unfortunately, there is nothing to see because the "context.xml" is not
picked up and there are no files in
.../server/all/deploy/name-of-my-external-directory.war (only the
WEB-INF directory).

Here is what comes out in the log when the authentication works:

2006-04-12 20:34:36,781 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResources(jndi.properties)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jnp.interfaces.NamingContextFactory, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jnp.interfaces.NamingContextFactory)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
Lo and behold it starts working here!
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Context, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.Proxy, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Object, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Throwable, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.NamingException, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.RuntimeException, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Error, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.UndeclaredThrowableException, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.ClassNotFoundException, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodException, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodError, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoClassDefFoundError, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.InvocationHandler, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Class, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Name, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.String, false)
2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManager.other] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@1553743
2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@19f1bac
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManager.other] CachePolicy set to: org.jboss.util.TimedCachePolicy@d1e832
2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@d1e832
2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added other, org.jboss.security.plugins.SecurityDomainContext@e34094 to map
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.UsersRolesLoginModule, false)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.UsersRolesLoginModule)
2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultUsers.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(users.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(defaultUsers.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultUsers.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(users.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(users.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Returning 'file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/conf/users.properties'
2006-04-12 20:34:36,812 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, myuser1, anonymous, myuser2]
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultRoles.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(roles.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(defaultRoles.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultRoles.properties)
2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(roles.properties)
2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(roles.properties)
2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Returning 'file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/conf/roles.properties'
2006-04-12 20:34:36,828 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, myuser1, anonymous, myuser2]
2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'myuser1' with type 'BASIC'
2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.realm.RealmBase] Username myuser1 has role McbShareRoles
2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints

So the authentication stuff in WEB.XML only works if the unpacked WAR
(or external directory in our case) is located in the
.../server/all/deploy directory.

Well it all looks a bit like class-loading issues to me, so maybe some
egg-head could tell us perhaps we have to add a "" element to
the entry in .../server/all/deploy/jbossweb-tomcat55.sar/server.xml?

The only clue here appears to be that in the FAILURE case, the loading
is delegated to "org.jboss.mx.loading.UnifiedClassLoader3@b0ede5",
whereas in the SUCCESS case, the loading is being delegated to
"java.net.FactoryURLClassLoader@182eca8".

P.S.

I have found that JBoss-Tomcat doesn't seem to take any notice of any
<external-dir>/WEB-INF/context.xml, so probably don't bother
experimenting with this technique (instead of editing
.../server/all/deploy/jbossweb-tomcat55.sar/server.xml), but PLEASE let
me know if you have any luck with this because it's better to drop in
"context.xml" files somewhere than go fiddling with Tomcat server.xml
'cos that probably is not reloadable and you have to keep restarting
JBoss:

<Context
 path="/music"
 docBase="l:/music"
 override="true"
 debug="99"
/>