4 Replies Latest reply on Apr 23, 2002 11:35 PM by Scott Stark

    BASIC auth-method doesn't ask for credentials

    Nathan Newbie

      Hi all,

      I downloaded and installed JBoss-2.4.2_Tomcat-4.0 and the JAAS howto examples. When I run the "command line" client from ant everything works great but when I try to access the SecureServlet I'm told through the browser that access is denied without it ever popping up a requester for username/password.

      When the SecureServlet is requested the following is written to the shell/console:

      [Default] Bad password for username=null

      The following is written to the log:

      [Default] Bad password for username=null
      [JBossSecurityMgrRealm] User: null is NOT authenticated
      [JBossSecurityMgrRealm] User: null is NOT authorized, requiredRoles=[Echo]

      When I built the examples it wrote auth.conf to $jboss.dist/jboss/tomcat/auth.conf so I moved it to $jboss.dist/jboss/catalina/auth.conf

      What the heck am I doing wrong?

        • 1. Re: BASIC auth-method doesn't ask for credentials
          Chis Loftus Newbie

          I noticed that nobody replied to this one. I have exactly the same problem. I'm using the JBoss_2.4.3_Tomcat_4.0 installation.

          I have a very simple stateless session bean and a servlet that accesses the bean. I've set web.xml to do basic authentication on first login. When I invoke the servlet from the browser

          http://localhost:8080/jaasex/js

          I get the response

          HTTP Status 403 - Access to the requested resource has been denied

          and

          bad password for username=null

          and no login form was presented on the browser.

          I set up my descriptors based on the howto example. Can anyone spot the problem in my XML/conf files?

          jboss-web.xml
          ==============
          <?xml version="1.0" encoding="UTF-8"?>

          <jboss-web>
          <security-domain>java:/jaas/jaasExample</security-domain>

          <ejb-ref>
          <ejb-ref-name>ejb/js</ejb-ref-name>
          <jndi-name>ejb/jaasSession</jndi-name>
          </ejb-ref>
          </jboss-web>

          web.xml
          =======

          <!DOCTYPE web-app
          PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
          "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

          <web-app>
          <display-name>JAAS Example Web Application</display-name>

          <servlet-name>JaasServlet</servlet-name>
          <display-name>JAAS Servlet</display-name>
          <servlet-class>web.JaasServlet</servlet-class>


          <servlet-mapping>
          <servlet-name>JaasServlet</servlet-name>
          <url-pattern>/js</url-pattern>
          </servlet-mapping>

          <security-constraint>
          <web-resource-collection>
          <web-resource-name>JaasSessionSecurity</web-resource-name>
          <url-pattern>/js</url-pattern>
          <http-method>HEAD</http-method>
          <http-method>POST</http-method>
          <http-method>GET</http-method>
          <http-method>DELETE</http-method>
          <http-method>PUT</http-method>
          </web-resource-collection>
          <auth-constraint>
          <role-name>Manager</role-name>
          </auth-constraint>
          <user-data-constraint>
          Currently transport insecure
          <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
          </security-constraint>

          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>JAAS Session Security</realm-name>
          </login-config>

          <security-role>
          The managers role
          <role-name>Manager</role-name>
          </security-role>

          <ejb-ref>
          <ejb-ref-name>ejb/js</ejb-ref-name>
          <ejb-ref-type>Session</ejb-ref-type>
          beans.JaasSessionHome
          beans.JaasSession
          </ejb-ref>
          </web-app>

          application.xml
          ===============
          <?xml version="1.0" encoding="UTF-8"?>

          <!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN'
          'http://java.sun.com/j2ee/dtds/application_1_2.dtd'>


          <display-name>JaasExample</display-name>
          The JAAS Example Application


          warFile
          <web-uri>je.war</web-uri>
          <context-root>/jaasex</context-root>



          EJBJar
          je.jar



          jboss.xml
          ==========
          <?xml version="1.0" encoding="UTF-8"?>


          <security-domain>java:/jaas/jaasExample</security-domain>

          <enterprise-beans>


          <ejb-name>jb</ejb-name>
          <jndi-name>ejb/jaasSession</jndi-name>


          </enterprise-beans>


          ejb-jar.xml
          ===========
          <?xml version="1.0"?>
          <!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN' 'http://java.sun.com/j2ee/dtds/ejb-jar_1_1.dtd'>

          <ejb-jar>
          <enterprise-beans>

          <ejb-name>jb</ejb-name>
          beans.JaasSessionHome
          beans.JaasSession
          <ejb-class>beans.JaasSessionBean</ejb-class>
          <session-type>Stateless</session-type>
          <transaction-type>Container</transaction-type>

          </enterprise-beans>

          <assembly-descriptor>
          <security-role>
          <role-name>Manager</role-name>
          </security-role>

          <method-permission>
          <role-name>Manager</role-name>

          <ejb-name>jb</ejb-name>
          <method-name>*</method-name>

          </method-permission>
          </assembly-descriptor>

          </ejb-jar>

          auth.conf in the jboss\conf\catalina folder
          ===========================================

          jaasExample {
          // A properties file LoginModule that supports CallerPrincipal mapping
          org.jboss.security.auth.spi.UsersRolesLoginModule required
          ;
          };

          auth.conf in the jboss\client folder
          =====================================
          srp {
          // Example client auth.conf for using the SRPLoginModule
          org.jboss.security.srp.jaas.SRPLoginModule required
          password-stacking="useFirstPass"
          principalClassName="org.jboss.security.SimplePrincipal"
          srpServerJndiName="SRPServerInterface"
          debug=true
          ;

          // jBoss LoginModule
          org.jboss.security.ClientLoginModule required
          password-stacking="useFirstPass"
          ;

          // Put your login modules that need jBoss here
          };

          other {
          // Put your login modules that work without jBoss here

          // jBoss LoginModule
          org.jboss.security.ClientLoginModule required;

          // Put your login modules that need jBoss here
          };

          roles.properties
          =================
          cwl=Manager
          jjh=Manager

          and a users.properties file with passwords for both users (cwl, jjh). These property files are deployed with the je.jar file in its root directory.

          Any help would be appreciated.

          Chris

          • 2. Re: BASIC auth-method doesn't ask for credentials
            Chis Loftus Newbie

            I just tried the JaasServlet example that I posted previously with JBOSS_2.2.2_Tomcat_3.2.2. It worked, i.e. the BASIC authentication form was displayed on the browser. Does anyone know what has happened in JBOSS_2.4.3_Tomcat_4.0 to cause BASIC authentication problems with this later version?

            Thanks

            Chris

            • 3. Re: BASIC auth-method doesn't ask for credentials
              Pete Beck Newbie

              Hello, I think there may be serious issues with the authentication in Tomcat 4.0.
              If you are using the WARP connector and Apache, the release notes have this to say about it:

              * With this release, FORM-based authentication will work correctly, but
              there is a bug that prevents BASIC authentication from operating. This
              will be addressed before final release.

              • 4. Re: BASIC auth-method doesn't ask for credentials
                Scott Stark Master

                BASIC auth works with the JBoss-2.4.4_Tomcat-4.0.1 and latter bundles. If you see a 403 error you need to remove the unauthenticatedIdentity login module attribute from your configuration as this prevents the authentication challenge from being sent back to the browser.