-
1. Re: DatabaseServerLoginModule
cobraflow Mar 19, 2002 9:06 AM (in response to dgeorge)...check your ';' is in the right place in the auth.conf file! This caused me hours of fun!
-
2. Re: DatabaseServerLoginModule
frufox Mar 29, 2002 9:05 AM (in response to dgeorge)Where should the ';' be?
I can't seem to find any documentation on setting up the database authorization for JBoss 2.4.4.
My auth.conf entry is:
mySQL_auth {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/DefaultDS"
principalsQuery="select user_pass from users.users where user_name=?"
rolesQuery="select role_name, group_name from users.user_roles where user_name=?"
;
};
But when I try to access the web site I get the following error:
java.lang.SecurityException: Configuration Error:
Line 3: expected '{', found 'null'
at com.sun.security.auth.login.ConfigFile.getAppConfigurationEntry(ConfigFile.java:221)
at javax.security.auth.login.LoginContext.init(LoginContext.java:172)
at javax.security.auth.login.LoginContext.(LoginContext.java:266)
at javax.security.auth.login.LoginContext.(LoginContext.java:380)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:393)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:361)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:217)
at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:253)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
at java.lang.Thread.run(Thread.java:484)
Any help would really be appreciated! -
3. Re: DatabaseServerLoginModule
cobraflow Mar 29, 2002 10:02 AM (in response to dgeorge)...could you attach the whole file as this looks ok...Check for a space after domain name and before '{'..
Lewis -
4. Re: DatabaseServerLoginModule
frufox Mar 29, 2002 11:44 AM (in response to dgeorge)Lewis, thanks for the reply. As for some more background info:
My jboss-web.xml for the app looks like:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/mySQL_auth</security-domain>
</jboss-web>
I followed the directions in the 3.0 documentation (http://www.jboss.org/online-manual/HTML/ch13s78.html). However, the documentation tells you to place the following line in the jboss.jcml file:
org.jboss.security.SubjectSecurityProxyFactory
JBoss 2.4.4 doesn't have this class so this failed.
Maybe I'm missing the 2.4.4 version of this step, but the error I get really makes me think it is a syntax error in the auth.conf file.
I've attached my auth.conf file.
Again, I really appreciate any help
frufox -
5. Re: DatabaseServerLoginModule
wouter Mar 30, 2002 6:21 AM (in response to dgeorge)I'm discovering JBoss-Tomcat configuration by trial and error myself, so don't be offended if this is silly.
Why do you specify users.users and users.user_roles in your queries ? The dsJndiName already points to a specific database (called users I suppose).
This partially works for me :
bcc17 {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/utilityDS"
principalsQuery="select password from users where user=?"
rolesQuery="select role, role_group from user_roles where user=?";
};
But I have another problem. My application correctly accesses the database to check username and password (I use form based login and get the errorpage if wrong user or password) but always denies access based on role.
I made a test JSP, just to return if user had the correct role, and discovered it doesn't retrieve or interpret the userrole correctly.
I found on this forum that you need two entries per user in the roles table, one with 'Roles' as rolegroup and one with 'CallerPrincipal'. Did this but with same result.
Hope this helps you one step further. And perhaps someone can help me out ? -
6. Re: DatabaseServerLoginModule
cobraflow Apr 1, 2002 7:37 AM (in response to dgeorge)...I tried your auth.conf...
The LoginModule does not like the '_' in your domain name...! Not sure where this is documented !!! ;-)
Lewis -
7. Re: DatabaseServerLoginModule
cobraflow Apr 1, 2002 7:43 AM (in response to dgeorge)A number of things to look for...
1) The value of the column role_group must be 'Roles' (note case!)
2) Check that the user in the users table and in the user_roles table is spelt the same and the case is the same.
You only need a 'CallerPrincipal' row if you want to change the principal name from the one typed in (user) to something different for the value returned by a call to EJBContext.getCallerPrincipal()...Otherwise don't use it!
Lewis -
8. Re: DatabaseServerLoginModule
frufox Apr 2, 2002 2:04 PM (in response to dgeorge)Lewis, you rock.
That '_' was my problem. If you didn't live on another continent I'd buy you a beer.
Wouter,
In answer to your question about why I put 'users.' in front of my table names...It's because I have two databases in mySQL the 'users' database to hold user information and a different database for my application specific data. I'm lazy so I only set up one DataSource at the DefaultDS jndi name. The DefaultDS datasource points to the application database so I must reference the users database. Besides I'm generally paranoid I like to put the schema.table_name in when I can. -
9. Re: DatabaseServerLoginModule
wouter Apr 3, 2002 2:06 AM (in response to dgeorge)Lewis,
Thanks for the reply but that's not the problem. I attach the script used to create the users db and fill it with two test users (already omitted the 'CallerPrincipal' records).
I have a few days off now and intend to check every step I did in my configuration next week. If I don't find out what's wrong, I'll post again with more details.
Wouter