1 2 3 Previous Next 31 Replies Latest reply on Apr 3, 2003 2:50 AM by Mick Knutson

    JAAS Authorization problem

    Yoni Newbie

      I'm trying to do the following:
      1. User connects to servlet.
      2. the servlet initiates a new AppCallbackHandler with constant username, password (not received from the http request).
      3. The servlet creates a login context and login the handler.
      4. The servlet calls an EJB bean which is conigured for a specific Role.

      Currently I manage to authorize my user, but the authorization fails with an excption:

      [Default] Created LoginContext
      [Default] User 'myUser' authenticated.
      [Default] Subject:
      Principal: myUser
      Principal: Roles
      [Default] Bad password for username=null
      [MCView] Authentication exception, principal=null
      [Default] Exception: java.rmi.RemoteException: checkSecurityAssociation; nested
      exception is:
      java.lang.SecurityException: Authentication exception, principal=null
      [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception i
      s:
      java.lang.SecurityException: Authentication exception, principal=null
      [Default] java.lang.SecurityException: Authentication exception, principal=null
      [Default] <<no stack trace available>>
      [Default]

      I must be missing something in between because the client is authenticated at the servlet side (client) but fails to authorize the user at the server side (bean).
      I'm running JBoss-2.4.1a with the Tomcat embedded.
      Any help will be appreciated.

        • 1. Re: JAAS Authorization problem
          deepa Newbie

          How do you do the client-side login? Please explain. As I can understand it, you are missing the reqiured client-side jar files needed for the authentication.

          • 2. Re: JAAS Authorization problem
            Yoni Newbie

            I'm using the auth.conf file to define the login module - I use this one under the name example1:
            org.jboss.security.auth.spi.UsersRolesLoginModule required ;

            In the servlet web.xml file I added:
            <web-app>
            .
            .
            .
            <security-role>
            Role to invoke methods
            <role-name>admin</role-name>
            </security-role>

            <ejb-ref>
            <ejb-ref-name>ejb/SecuredEJB</ejb-ref-name>
            <ejb-ref-type>Session</ejb-ref-type>
            beans.MyBeanHome
            beans.MyBean
            </ejb-ref>

            </web-app>

            and now the part I don't know -the example specifies a file called jboss-web.xml but I don't know where to put it (under WEB-INF ?). The file looks like this:
            <jboss-web>
            <security-domain>java:/jaas/example1</security-domain>
            <ejb-ref>
            <ejb-ref-name>ejb/SecuredEJB</ejb-ref-name>
            <jndi-name>comp/env/ejb/mybean</jndi-name>
            </ejb-ref>
            </jboss-web>

            I also added users.properties and roles.properties files to the directory where the auth.conf file is.

            • 3. Re: JAAS Authorization problem
              deepa Newbie

              jboss-web.xml is placed in the WEB-INF directory. If you follow the jaas example found in JavaWorld, it would be very helpful in understanding your problem. Where is your auth.conf placed? Is it in jboss.home/conf/tomcat or is it in jboss.home/client? This really makes a difference with respect to your problem. If it is in jboss.home/conf/tomcat, then you have to copy the necessary jar files from jboss.home/client to the jboss.home/conf/tomcat dir. and you'll see the difference.

              • 4. Re: JAAS Authorization problem
                Yoni Newbie

                When the JBoss server start it states the auth.conf file location:
                Using JAAS LoginConfig: file:/D:/dev/runtime/JBoss-2.4.1/jboss/conf/tomcat/auth.conf

                I don't know how to direct it to a certain auth.conf file except for defining it in the java.security file of the jre.

                Which files are missing ? the jar files are located in the lib and lib\ext folders and loaded automaticaly.

                What configuration error can cause the servlet to authenticate the user but the bean to fail ? It looks like the user data (name,pass) doesn't get to the bean at all.

                One important thing I forgot to mention - the bean is in a jar file, located at the jboss.home/deploy directory. The Servlet runs under the tomcat.home/webapps directory and is open (not packed in an archive) for convenience of updating classes. Can this cause the problems ? and if so, what happens when a call is made between two separated computers with two different VMs.

                • 5. Re: JAAS Authorization problem
                  deepa Newbie

                  You forgot to perform real login.

                  To have working security in you app you will need following:

                  On the backend:
                  - configured login modules(D:/dev/runtime/JBoss-2.4.1/jboss/conf/tomcat/auth.conf) which can authenticate
                  your username/password and assign roles based on it

                  - activates security in EJB descriptors

                  On the frontend:
                  - configured login modules(D:/dev/runtime/JBoss-2.4.1/jboss/client/auth.conf) for the frontend.
                  Simpliest would be ClientLoginModule which
                  just saves supplied data for further EJB invocations
                  - call to this login module from your servlet


                  Note that authentication/authorisation on the frontend
                  and backend is not necessarily the same.

                  Your principal/credentials will be passed to EJB backend on every invocation

                  • 6. Re: JAAS Authorization problem
                    Yoni Newbie

                    Still not working although I noticed a behaviour that might help to pin-point what I'm doing wrong.
                    I wrapped the application in a ear file that contains both jar and war, and deployed in the jboss/deploy directory.

                    I noticed the only auth.conf file used is tne one under jboss/conf/tomcat, I declared two login modules there: 'client' for

                    my servlet's use and 'example1' for the bean. I'm not using any authentication/authorization when I connect to the servlet,

                    the servlet has a CallBackHandler in it, initialized with a constant user/pass and login it in the 'client' login module.
                    In the jboss-web.xml I define the 'client' as the login module (java:/jaas/client). I verified that the 'client' definition is not taken from the client/auth.conf file.


                    Now, I want to use authorization at the bean, but from some reason the principal is not passed from the servlet to the bean.

                    When I use UsersRolesLoginModule for the servlet, the users and roles property files are loaded and the user is assigned with

                    the proper roles (I print the roles in the servlet, after login). But when the bean is accessed (defined with

                    ClientLoginModule) I get the following exception:

                    [MyBean] Insufficient method permissions, principal=null, method=create, requiredRoles=[admin, user]
                    [Default] Exception: java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                    java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, requiredRoles=[admi
                    n, user]
                    [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                    java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, requiredRoles=[admi
                    n, user]
                    [Default] java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, requiredRoles=[ad
                    min, user]
                    [Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:215)

                    The prinipal that is passed to the bean is 'null'.


                    When I define both servlet and bean to use ClientLoginModule I get the following:

                    [MyBean] Insufficient method permissions, principal=myUser, method=create, requiredRoles=[admin, user]
                    [Default] Exception: java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                    java.lang.SecurityException: Insufficient method permissions, principal=myUser, method=create, requiredRoles=[admi
                    n, user]

                    The principal is passed but I can't assign roles to the user using this module, hence can't test the authorization process.


                    When using UsersRolesLoginModule for the bean and ClientLoginModule for the servlet I get the following:

                    [MyBean] CONTAINER EXCEPTION:No security context set
                    [MyBean] java.lang.IllegalStateException: No security context set

                    Is there a configuration I forgot or some sort of mapping I failed to do ?

                    • 7. Re: JAAS Authorization problem
                      BlogEasy Support Newbie

                      I encountered this same problem. Turns out there is a simple solution. Make sure you are definately using the "client-login" and org.jboss.security.ClientLoginModule on your client side, otherwise the principal will never get set and you need this. The reason for this is the Security Assocation that gets set on the client side. In your case the client side is your servlet, so you will need to make sure your servlet uses this. Next, use the UsersRolesLoginModule on your server side. The client and server side will be different. It took a long time to figure out why this was, but it's due to the SecurityAssociation being set on the client side and the server performing the real login check. The client is only setting up the necessary credentials for the server. You will be able to control all the roles for the user through the server side UsersRolesLoginModule.

                      • 8. Re: JAAS Authorization problem
                        Maurice Mills Newbie

                        This sounds like it should make sense, but it does not.

                        I have absolutely no idea how to do this. Could someone please post some sample code.

                        • 9. Re: JAAS Authorization problem
                          Scott Stark Master

                          There is example code in the org.jboss.test.web.servlets.ClientLoginServlet of the JBossTest cvs module. From inside the JBoss vm you need to use the client-login configuration entry as stated by adrock:

                          protected void processRequest(HttpServletRequest request, HttpServletResponse response)
                          throws ServletException, IOException
                          {
                          LoginContext lc = null;
                          String echoMsg = null;
                          try
                          {
                          lc = doLogin("jduke", "theduke");
                          InitialContext ctx = new InitialContext();
                          StatelessSessionHome home = (StatelessSessionHome) ctx.lookup("java:comp/env/ejb/SecuredEJB");
                          StatelessSession bean = home.create();
                          echoMsg = bean.echo("ClientLoginServlet called SecuredEJB.echo");
                          }
                          catch(LoginException e)
                          {
                          throw new ServletException("Failed to login to client-login domain as jduke", e);
                          }
                          catch(Exception e)
                          {
                          throw new ServletException("Failed to access SecuredEJB", e);
                          }
                          finally
                          {
                          if( lc != null )
                          {
                          try
                          {
                          lc.logout();
                          }
                          catch(LoginException e)
                          {
                          }
                          }
                          }

                          response.setContentType("text/html");
                          PrintWriter out = response.getWriter();
                          out.println("");
                          out.println("ClientLoginServlet");
                          out.println("<h1>ClientLoginServlet Accessed</h1>");
                          out.println("Login as user=jduke succeeded.SecuredEJB.echo returned:"+echoMsg+"");
                          out.println("");
                          out.close();
                          }

                          private LoginContext doLogin(String username, String password) throws LoginException
                          {
                          UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password.toCharArray());
                          LoginContext lc = new LoginContext("client-login", handler);
                          lc.login();
                          return lc;
                          }

                          • 10. Re: JAAS Authorization problem
                            Yoni Newbie

                            I've done as you suggested starksm, using the UsernamePasswordHandler (although, must I use it ? it seems strange to use a

                            JBoss import in my servlet). I configured the LoginContext to use client-login, but it didn't help.
                            I can get the home interface but the create operation fails.

                            Here are the exceptions I get when using the different client-server login configurations.
                            I keep thinking there might be a configuration error in my jar files, can anyone guess what configuration error can cause

                            such exceptions ?

                            Both client-login and example1 definitions are in the conf/tomcat/auth.conf file.
                            By the way, using other modules for client-login works perfectly (DB, UsersRoles, Simple) and I can see the users data

                            retrieved and authenticated.



                            client-login {
                            org.jboss.security.ClientLoginModule required;
                            };


                            example1 {
                            org.jboss.security.auth.spi.UsersRolesLoginModule required;
                            };


                            [Default] LoginContext create.
                            [Default] lc.getSubject(): Subject:
                            [Default] got the home interface: comp/env/ejb/dm/mybeanHome
                            [Default] User 'yoni' authenticated.
                            [Default] request getNextMessage()
                            [MyBean] CONTAINER EXCEPTION:No security context set
                            [MyBean] java.lang.IllegalStateException: No security context set
                            [MyBean] at org.jboss.ejb.EnterpriseContext$EJBContextImpl.getCallerPrincipal(EnterpriseContext.java:248)
                            [MyBean] at beans.MyBeanEJB.setSessionContext(MyBeanEJB.java:185)
                            [MyBean] at org.jboss.ejb.StatelessSessionEnterpriseContext.(StatelessSessionEnterpriseContext.java:49)
                            [MyBean] at org.jboss.ejb.plugins.StatelessSessionInstancePool.create(StatelessSessionInstancePool.java:54)
                            [MyBean] at org.jboss.ejb.plugins.AbstractInstancePool.get(AbstractInstancePool.java:125)
                            [MyBean] at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.
                            java:79)
                            [MyBean] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:128)
                            [MyBean] at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:195)
                            [MyBean] at org.jboss.ejb.StatelessSessionContainer.invoke(StatelessSessionContainer.java:286)
                            [MyBean] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invoke(JRMPContainerInvoker.java:483)
                            [MyBean] at org.jboss.ejb.plugins.jrmp.interfaces.GenericProxy.invokeContainer(GenericProxy.java:335)
                            [MyBean] at org.jboss.ejb.plugins.jrmp.interfaces.StatelessSessionProxy.invoke(StatelessSessionProxy.java:123)
                            [MyBean] at $Proxy4.getNextMessage(Unknown Source)
                            [MyBean] at dmm.GetNextMessage.doGet(GetNextMessage.java:193)
                            [MyBean] at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
                            [MyBean] at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                            [MyBean] at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:488)
                            [MyBean] at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:390)
                            [MyBean] at org.mortbay.http.HandlerContext.handle(HandlerContext.java:1027)
                            [MyBean] at org.mortbay.http.HandlerContext.handle(HandlerContext.java:982)
                            [MyBean] at org.mortbay.http.HttpServer.service(HttpServer.java:674)
                            [MyBean] at org.mortbay.http.HttpConnection.service(HttpConnection.java:732)
                            [MyBean] at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:889)
                            [MyBean] at org.mortbay.http.HttpConnection.handle(HttpConnection.java:746)
                            [MyBean] at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:146)
                            [MyBean] at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:287)
                            [MyBean] at org.mortbay.util.ThreadPool$PoolThreadRunnable.run(ThreadPool.java:613)
                            [MyBean] at java.lang.Thread.run(Thread.java:484)
                            [Default] MB Lookup Exception: java.rmi.ServerException: Container exception. Notify the container developers :-); neste
                            d exception is:
                            java.lang.IllegalStateException: No security context set
                            [Default] java.rmi.ServerException: Container exception. Notify the container developers :-); nested exception is:
                            java.lang.IllegalStateException: No security context set

                            ------------------------------------------------------------------------------------------------------------------

                            client-login {
                            org.jboss.security.ClientLoginModule required
                            password-stacking="useFirstPass"
                            ;
                            };


                            example1 {
                            org.jboss.security.auth.spi.UsersRolesLoginModule required;
                            };


                            [Default] LoginContext create.
                            [Default] lc.getSubject(): Subject:
                            [Default] got the home interface: comp/env/ejb/dm/mybeanHome
                            [Default] Bad password for username=null
                            [MyBean] Authentication exception, principal=null
                            [Default] MB Lookup Exception: java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                            java.lang.SecurityException: Authentication exception, principal=null
                            [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                            java.lang.SecurityException: Authentication exception, principal=null
                            [Default] java.lang.SecurityException: Authentication exception, principal=null
                            [Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:168)
                            [Default]
                            [Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:92)
                            [Default]
                            [Default] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
                            [Default]
                            [Default] at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:268)

                            ------------------------------------------------------------------------------------------------------------------

                            example1 {
                            org.jboss.security.ClientLoginModule required;
                            };


                            client-login {
                            org.jboss.security.ClientLoginModule required;
                            };

                            [Default] LoginContext create.
                            [Default] got the home interface: comp/env/ejb/dm/mybeanHome
                            [MyBean] Insufficient method permissions, principal=yoni, method=create, requiredRoles=[admin, user]
                            [Default] MB Lookup Exception: java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                            java.lang.SecurityException: Insufficient method permissions, principal=yoni, method=create, requiredRoles=[admi
                            n, user]
                            [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                            java.lang.SecurityException: Insufficient method permissions, principal=yoni, method=create, requiredRoles=[admi
                            n, user]
                            [Default] java.lang.SecurityException: Insufficient method permissions, principal=yoni, method=create, requiredRoles=[ad
                            min, user]
                            [Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:215)
                            [Default]
                            [Default] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:92)
                            [Default]

                            • 11. Re: JAAS Authorization problem
                              Yoni Newbie

                              I think I found the bug in my code, need to check it further...

                              • 12. Re: JAAS Authorization problem
                                Eric Chow Newbie

                                Hi,

                                Would you please to teach me how to use LoginContext to do the access control to the EJB?

                                Eric

                                • 13. Re: JAAS Authorization problem
                                  Matt Vincent Newbie

                                  Thanks Scott. This works great! Now after I've called "login()", is it valid to just place the LoginContext in the user's HttpSession?

                                  • 14. Re: JAAS Authorization problem
                                    Matt Vincent Newbie

                                    Environment:
                                    JVM1: Tomcat 3.2 (Netbeans 3.3.2)
                                    JVM2: JBoss 2.4.4

                                    Following the design of org.jboss.test.web.servlets.ClientLoginServlet, I have 3 servlets

                                    1. Login: Calls LoginContext.login() and places the LoginContext in the session. Invokes secured method on EJB.
                                    2. Logout: Gets the LoginContext out of the session, calls LoginContext.logout(), and removes LoginContext from session.
                                    3. Invoke: Invokes a secured method on an EJB.

                                    This part works normally:
                                    Cannot call Invoke, until Login is called.
                                    Cannot call Invoke, after Logout is called.

                                    However, if I call Login from one session (e.g. jsessionid..), I can call Invoke from another session!

                                    Also (this is being requested in other posts as well), after calling Login, the servlet container does not consider me logged in for access to any restricted URLs (e.g. <security-constraint>'s in web.xml).

                                    Scott, can you direct me to the code in the JBoss-Tomcat bundle that handles associating the servlet container LoginContext and the ejb container LoginContext?

                                    Thanks.

                                    1 2 3 Previous Next