9 Replies Latest reply on Apr 3, 2002 2:06 AM by Wouter Beheydt

    DatabaseServerLoginModule

    deepa Newbie

      I have an application working well with the DatabaseServerLoginModule set up to authenticate a user logging in. However, when I changed the rolesQuery string to "select Role,RoleGroup from Roles where Uuid=(select role_uuid from principals_roles_ref where principal_uuid = (select Uuid from Principals where PrincipalID=?))";, I have been getting the following error whenever I try to login:

      java.lang.SecurityException: Configuration Error:

      Line 12: expected 'option key', found 'null'
      at com.sun.security.auth.login.ConfigFile.getAppConfigurationEntry(ConfigFile.java:221)
      at javax.security.auth.login.LoginContext.init(LoginContext.java:172)
      at javax.security.auth.login.LoginContext.(LoginContext.java:319)
      Could anyone tell me what this error is and what I could do to fix it? Thanks in advance!!

        • 1. Re: DatabaseServerLoginModule
          Lewis Henderson Novice

          ...check your ';' is in the right place in the auth.conf file! This caused me hours of fun!

          • 2. Re: DatabaseServerLoginModule
            Brian Fox Newbie

            Where should the ';' be?

            I can't seem to find any documentation on setting up the database authorization for JBoss 2.4.4.

            My auth.conf entry is:
            mySQL_auth {
            org.jboss.security.auth.spi.DatabaseServerLoginModule required
            dsJndiName="java:/DefaultDS"
            principalsQuery="select user_pass from users.users where user_name=?"
            rolesQuery="select role_name, group_name from users.user_roles where user_name=?"
            ;
            };

            But when I try to access the web site I get the following error:

            java.lang.SecurityException: Configuration Error:
            Line 3: expected '{', found 'null'
            at com.sun.security.auth.login.ConfigFile.getAppConfigurationEntry(ConfigFile.java:221)
            at javax.security.auth.login.LoginContext.init(LoginContext.java:172)
            at javax.security.auth.login.LoginContext.(LoginContext.java:266)
            at javax.security.auth.login.LoginContext.(LoginContext.java:380)
            at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:393)
            at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:361)
            at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:217)
            at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:253)
            at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
            at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
            at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
            at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
            at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
            at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
            at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
            at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
            at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
            at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
            at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
            at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
            at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
            at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
            at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
            at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
            at java.lang.Thread.run(Thread.java:484)


            Any help would really be appreciated!

            • 3. Re: DatabaseServerLoginModule
              Lewis Henderson Novice

              ...could you attach the whole file as this looks ok...Check for a space after domain name and before '{'..

              Lewis

              • 4. Re: DatabaseServerLoginModule
                Brian Fox Newbie

                Lewis, thanks for the reply. As for some more background info:

                My jboss-web.xml for the app looks like:
                <?xml version="1.0" encoding="UTF-8"?>
                <jboss-web>
                <security-domain>java:/jaas/mySQL_auth</security-domain>
                </jboss-web>

                I followed the directions in the 3.0 documentation (http://www.jboss.org/online-manual/HTML/ch13s78.html). However, the documentation tells you to place the following line in the jboss.jcml file:

                org.jboss.security.SubjectSecurityProxyFactory

                JBoss 2.4.4 doesn't have this class so this failed.

                Maybe I'm missing the 2.4.4 version of this step, but the error I get really makes me think it is a syntax error in the auth.conf file.

                I've attached my auth.conf file.

                Again, I really appreciate any help
                frufox

                • 5. Re: DatabaseServerLoginModule
                  Wouter Beheydt Newbie

                  I'm discovering JBoss-Tomcat configuration by trial and error myself, so don't be offended if this is silly.

                  Why do you specify users.users and users.user_roles in your queries ? The dsJndiName already points to a specific database (called users I suppose).

                  This partially works for me :

                  bcc17 {
                  org.jboss.security.auth.spi.DatabaseServerLoginModule required
                  dsJndiName="java:/utilityDS"
                  principalsQuery="select password from users where user=?"
                  rolesQuery="select role, role_group from user_roles where user=?";
                  };

                  But I have another problem. My application correctly accesses the database to check username and password (I use form based login and get the errorpage if wrong user or password) but always denies access based on role.
                  I made a test JSP, just to return if user had the correct role, and discovered it doesn't retrieve or interpret the userrole correctly.
                  I found on this forum that you need two entries per user in the roles table, one with 'Roles' as rolegroup and one with 'CallerPrincipal'. Did this but with same result.

                  Hope this helps you one step further. And perhaps someone can help me out ?

                  • 6. Re: DatabaseServerLoginModule
                    Lewis Henderson Novice

                    ...I tried your auth.conf...

                    The LoginModule does not like the '_' in your domain name...! Not sure where this is documented !!! ;-)

                    Lewis

                    • 7. Re: DatabaseServerLoginModule
                      Lewis Henderson Novice

                      A number of things to look for...
                      1) The value of the column role_group must be 'Roles' (note case!)
                      2) Check that the user in the users table and in the user_roles table is spelt the same and the case is the same.

                      You only need a 'CallerPrincipal' row if you want to change the principal name from the one typed in (user) to something different for the value returned by a call to EJBContext.getCallerPrincipal()...Otherwise don't use it!

                      Lewis

                      • 8. Re: DatabaseServerLoginModule
                        Brian Fox Newbie

                        Lewis, you rock.

                        That '_' was my problem. If you didn't live on another continent I'd buy you a beer.

                        Wouter,

                        In answer to your question about why I put 'users.' in front of my table names...It's because I have two databases in mySQL the 'users' database to hold user information and a different database for my application specific data. I'm lazy so I only set up one DataSource at the DefaultDS jndi name. The DefaultDS datasource points to the application database so I must reference the users database. Besides I'm generally paranoid I like to put the schema.table_name in when I can.

                        • 9. Re: DatabaseServerLoginModule
                          Wouter Beheydt Newbie

                          Lewis,

                          Thanks for the reply but that's not the problem. I attach the script used to create the users db and fill it with two test users (already omitted the 'CallerPrincipal' records).

                          I have a few days off now and intend to check every step I did in my configuration next week. If I don't find out what's wrong, I'll post again with more details.

                          Wouter