1 Reply Latest reply on Nov 18, 2001 8:26 PM by Ben Litchfield

    security subject going away

    Ben Litchfield Newbie

      I am using Jboss2.4.3_Tomat4.0 dist under windows2000.

      I am having a small problem with security. It appears that randomly a user will fail authentication. I am using the DatabaseServerLoginModule. It appears to only happen on the web tier but I cannot be 100% sure of that.

      Here is the sequence that produces the problem. I go to the login form and authenticate and everything is fine. The login page then forwards me to the main page which has several frames. randomly one or two of the frames will show an authentication error. There are three frames and all three appear to be affected equally.

      I modified the following method to add debug statements in org.jboss.security.plugins.JaasSecurityManager

      public boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
      {

      boolean hasRole = false;
      Subject subject = getActiveSubject();
      log.debug( "JaasSecurityManager.doesUserHaveRole() subject=" + subject );
      if( subject != null )
      {
      DomainInfo info = null;
      if( domainCache != null )
      info = (DomainInfo) domainCache.get(principal);
      log.debug( "JaasSecurityManager.doesUserHaveRole() info=" + info );

      Group roles = null;
      if( info != null )
      roles = info.roles;
      log.debug( "JaasSecurityManager.doesUserHaveRole() roles=" + roles );
      if( roles != null )
      {
      Iterator iter = rolePrincipals.iterator();
      while( hasRole == false && iter.hasNext() )
      {
      Principal role = (Principal) iter.next();
      log.debug( "JaasSecurityManager.doesUserHaveRole() checking role=" + role );
      hasRole = roles.isMember(role);
      }
      }
      }
      return hasRole;
      }


      Here is what I see in the my log file

      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() subject=Subject:
      Principal: ben
      Principal: Roles

      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@22cc7e
      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() roles=Roles
      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() checking role=EPACK_USER
      [JBossSecurityMgrRealm] User: ben is authorized
      [EmbeddedCatalinaServiceSX] jsp: init
      [JBossSecurityMgrRealm] securityCtx=org.jnp.interfaces.NamingContext@3ca1c3
      [JBossSecurityMgrRealm] Checking roles with security managerorg.jboss.security.plugins.JaasSecurityManager
      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() subject=null
      [JBossSecurityMgrRealm] User: ben is NOT authorized, requiredRoles=[EPACK_USER]
      [JBossSecurityMgrRealm] securityCtx=org.jnp.interfaces.NamingContext@2022b7
      [JBossSecurityMgrRealm] Checking roles with security managerorg.jboss.security.plugins.JaasSecurityManager
      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() subject=Subject:
      Principal: ben
      Principal: Roles

      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@22cc7e
      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() roles=Roles
      [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() checking role=EPACK_USER
      [JBossSecurityMgrRealm] User: ben is authorized

      Notice on the second authentication the subject is null. Why would it be null?

        • 1. Re: security subject going away
          Ben Litchfield Newbie

          upon further investigation, it appears that the subject is stored in a ThreadLocal object. So I added debug statements to show the thread name. In every instance the thread has the same name except the one that fails authentication.

          Here is the new log

          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] subject=Subject:
          Principal: epack
          Principal: Roles

          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@29bea3
          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] roles=Roles
          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] checking role=EPACK_USER
          [JBossSecurityMgrRealm] User: epack is authorized
          [EmbeddedCatalinaServiceSX] jsp: init
          [JBossSecurityMgrRealm] securityCtx=org.jnp.interfaces.NamingContext@4d28c7
          [JBossSecurityMgrRealm] Checking roles with security managerorg.jboss.security.plugins.JaasSecurityManager
          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][3] subject=null
          [JBossSecurityMgrRealm] User: epack is NOT authorized, requiredRoles=[EPACK_USER]
          [JBossSecurityMgrRealm] securityCtx=org.jnp.interfaces.NamingContext@3044df
          [JBossSecurityMgrRealm] Checking roles with security managerorg.jboss.security.plugins.JaasSecurityManager
          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] subject=Subject:
          Principal: epack
          Principal: Roles

          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@29bea3
          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] roles=Roles
          [JaasSecurityManager#other] JaasSecurityManager.doesUserHaveRole() HttpProcessor[8080][4] checking role=EPACK_USER
          [JBossSecurityMgrRealm] User: epack is authorized