1 Reply Latest reply on Apr 13, 2006 5:38 AM by boekhoffm

    Securing statis content in external dirs

    Matt Newbie

      I successfully followed the instructions in the wiki to get an external directory to serve static content through JBoss 3.2.6

      Now I need to secure access to that content through my JBoss security configuration. I figured this would be done through the Realm sub-element of the Context element where I defined the external directory, but I can't seem to get the configuration correct.

      Is there a way I can perhaps modify the default web.xml to include the path defined in the Context element? If so, where would the accompanying jboss-web.xml go?

      Or am I seeking to do the impossible, if so, I have another solution, but it involves coding, so I'd rather find something else.

        • 1. Re: Securing statis content in external dirs
          boekhoffm Newbie

          Hi. I am trying to do the same as you. I have updated
          .../server/all/deploy/jbossweb-tomcat55.sar/server.xml with:

          <Context
           path="/photos"
           docBase="l:/photos"
           override="true"
          />
          


          Yes it works, but how to secure it?

          What I've found is that if you create <external-path>/WEB-INF/web.xml
          with just this in it:

          <web-app>
           <security-constraint>
           <web-resource-collection>
           <web-resource-name>Share Guests</web-resource-name>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           </web-resource-collection>
           <auth-constraint>
           <role-name>McbShareRoles</role-name>
           </auth-constraint>
           </security-constraint>
          
           <login-config>
           <auth-method>BASIC</auth-method>
           <realm-name>This is the title</realm-name>
           </login-config>
          
           <security-role>
           <role-name>McbShareRoles</role-name>
           </security-role>
          </web-app>
          


          and if you create "users.properties" and "roles.properties" in the
          .../server/all/conf directory (see the .../conf/props/jmx*.properties
          files for the syntax)

          and if you check that the "other" JAAS thing is in place in
          server/all/conf/login-config.xml (I think the names of the property
          files are defaulted but I altered my version to be explicit):

          ...
          <application-policy name="other">
           <authentication>
           <login-module
           code="org.jboss.security.auth.spi.UsersRolesLoginModule"
           flag="required"
           >
           <module-option name="usersProperties">users.properties</module-option>
           <module-option name="rolesProperties">roles.properties</module-option>
           <module-option name="unauthenticatedIdentity">anonymous</module-option>
           </login-module>
           </authentication>
          </application-policy>
          


          and if you check that the "other" thing is the default thing for Tomcat, in
          .../server/all/deploy/jbossweb-tomcat55.sar/META-INF/jboss-service.xml:

          ...
          <attribute name="DefaultSecurityDomain">java:/jaas/other</attribute>
          ...
          


          and if you want to be really pedantic and sure, you create
          <external-directory>/WEB-INF/jboss-web.xml:

          <jboss-web>
           <security-domain>java:/jaas/other</security-domain>
          </jboss-web>
          


          If you do all the above, you will find that the browser prompts you for
          credentials. Unfortunately, nothing you enter will allow access as the
          authentication always fails, with the following in the log:

          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResources(jndi.properties)
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jnp.interfaces.NamingContextFactory, false)
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jnp.interfaces.NamingContextFactory)
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11}
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11}
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11}
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
          



          So... Then I tried putting the WEB-INF tree into a new directory (hoping
          that the "context.xml" described at the end of this rant would work):
          .../server/all/deploy/name-of-my-external-directory.war

          Well, lo and behold, the authentication bit works no worries.
          Unfortunately, there is nothing to see because the "context.xml" is not
          picked up and there are no files in
          .../server/all/deploy/name-of-my-external-directory.war (only the
          WEB-INF directory).

          Here is what comes out in the log when the authentication works:

          2006-04-12 20:34:36,781 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResources(jndi.properties)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jnp.interfaces.NamingContextFactory, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jnp.interfaces.NamingContextFactory)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          Lo and behold it starts working here!
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Context, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.Proxy, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Object, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Throwable, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.NamingException, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.RuntimeException, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Error, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.UndeclaredThrowableException, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.ClassNotFoundException, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodException, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodError, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoClassDefFoundError, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.InvocationHandler, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Class, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Name, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.String, false)
          2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManager.other] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@1553743
          2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@19f1bac
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManager.other] CachePolicy set to: org.jboss.util.TimedCachePolicy@d1e832
          2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@d1e832
          2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added other, org.jboss.security.plugins.SecurityDomainContext@e34094 to map
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.UsersRolesLoginModule, false)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.UsersRolesLoginModule)
          2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultUsers.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(users.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(defaultUsers.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultUsers.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(users.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(users.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Returning 'file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/conf/users.properties'
          2006-04-12 20:34:36,812 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, myuser1, anonymous, myuser2]
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultRoles.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(roles.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(defaultRoles.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultRoles.properties)
          2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(roles.properties)
          2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(roles.properties)
          2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null
          2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Returning 'file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/conf/roles.properties'
          2006-04-12 20:34:36,828 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, myuser1, anonymous, myuser2]
          2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'myuser1' with type 'BASIC'
          2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
          2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.realm.RealmBase] Username myuser1 has role McbShareRoles
          2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
          


          So the authentication stuff in WEB.XML only works if the unpacked WAR
          (or external directory in our case) is located in the
          .../server/all/deploy directory.

          Well it all looks a bit like class-loading issues to me, so maybe some
          egg-head could tell us perhaps we have to add a "" element to
          the entry in .../server/all/deploy/jbossweb-tomcat55.sar/server.xml?

          The only clue here appears to be that in the FAILURE case, the loading
          is delegated to "org.jboss.mx.loading.UnifiedClassLoader3@b0ede5",
          whereas in the SUCCESS case, the loading is being delegated to
          "java.net.FactoryURLClassLoader@182eca8".

          P.S.

          I have found that JBoss-Tomcat doesn't seem to take any notice of any
          <external-dir>/WEB-INF/context.xml, so probably don't bother
          experimenting with this technique (instead of editing
          .../server/all/deploy/jbossweb-tomcat55.sar/server.xml), but PLEASE let
          me know if you have any luck with this because it's better to drop in
          "context.xml" files somewhere than go fiddling with Tomcat server.xml
          'cos that probably is not reloadable and you have to keep restarting
          JBoss:

          <Context
           path="/music"
           docBase="l:/music"
           override="true"
           debug="99"
          />