1 2 Previous Next 19 Replies Latest reply on Jan 25, 2002 11:26 PM by Benjamin Chi

    HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application Secur

    Benjamin Chi Newbie

      Hi, Has anyone got application security working under JBoss 2.4.4 + Tomcat-Catalina?

      I deployed a WAR file with a protect a directory "/admin/*".
      I'm using "DIGEST" authentication method.
      The when this path is access, a pop-up window prompts
      the user for user/password. I succeed doing all this
      under standalone Tomcat 4.0.1.

      But when I deploy to JBoss 2.4.4 + Tomcat 4.0.1, everything works, except
      when I enter the username/password it doesn't work, no exception is thrown,
      and it seems like the username/password entered is incorrect. is it
      not finding the user.properties, roles.properties file?

      I created the user.properties, roles.properties, jboss-web.xml, web.xml,
      and use the default auth.conf.

      Here are the configuration files:
      =========================================
      WEB-INF/web.xml:
      <?xml version="1.0" encoding="ISO-8859-1" ?>
      <!DOCTYPE web-app
      PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
      "http://java.sun.com/dtd/web-app_2_3.dtd">
      <web-app>
         <!-- Secured path/pages -->
         <security-constraint>
         <web-resource-collection>
           <web-resource-name>Secured Contents</web-resource-name>
         <url-pattern>admin/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
           <role-name>Admin</role-name>
         </auth-constraint>
      </security-constraint>

      <!-- Login Authenication methods -->
      <login-config>
         <auth-method>DIGEST</auth-method> <!-- BASIC|DIGEST|FORM|CLIENT-CERT -->
         <realm-name>test</realm-name>
      </login-config>

      <!-- Security Roles -->
      <security-role>
         Admin Logon only
         <role-name>Admin</role-name>
      </security-role>

      </web-app>
      =========================================
      WEB-INF/jboss-web.xml:
      <?xml version="1.0"?>
      <jboss-web>

      <security-domain>java:/jaas/eCommerce</security-domain>
      </jboss-web>


      =========================================
      WEB-INF/classes/users.properties:
      test=password


      =========================================
      WEB-INF/classes/roles.properties:
      test,Admin




      What should I do?

      Thanks,
      Benjamin

        • 1. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
          Thomas Clouser Newbie

          In the auth.conf did you change the name from other to eCommerce?

          You will need to do this as you have specified the security domain "eCommerce" in the jboss-web.xml. The default auth.conf has the UsersRolesLoginModule specified under the security domain "other".


          HTH,

          TC

          • 2. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
            Benjamin Chi Newbie

            Yes, I have the eCommerce defined in the auth.conf file as:
            =================================================
            eCommerce {
            org.jboss.security.auth.spi.UsersRolesLoginModule required
            unauthenticatedIdentity="nobody";
            };
            =================================================

            my auth.conf file is:
            ============================================
            // Put login modules providing authentication and realm mappings
            // for security domains.


            simple {
            // Very simple login module:
            // any user name is accepted.
            // password should either coincide with user name or be null,
            // all users have role "guest",
            // users with non-null password also have role "user"
            org.jboss.security.auth.spi.SimpleServerLoginModule required;
            };

            // Used by clients within the application server VM such as
            // mbeans and servlets that access EJBs.
            client-login {
            org.jboss.security.ClientLoginModule required;
            };

            // The default server login module
            other {
            // A simple server login module, which can be used when the number
            // of users is relatively small. It uses two properties files:
            // users.properties, which holds users (key) and their password (value).
            // roles.properties, which holds users (key) and a comma-separated list of their roles (value).
            // The unauthenticatedIdentity property defines the name of the principal
            // that will be used when a null username and password are presented as is
            // the case for an unuathenticated web client or MDB. If you want to
            // allow such users to be authenticated add the property, e.g.,
            // unauthenticatedIdentity="nobody"
            org.jboss.security.auth.spi.UsersRolesLoginModule required
            ;

            };


            manager {
            org.jboss.security.auth.spi.UsersRolesLoginModule required
            unauthenticatedIdentity="nobody";
            };
            ===========================================

            But it is still not working.

            • 3. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
              Benjamin Chi Newbie

              where should the auth.conf located?
              I use the one on:
              C:\JBoss-2.4.4_Tomcat-4.0.1\jboss\conf\catalina

              • 4. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                Thomas Clouser Newbie

                two things to try:

                1) kick up the level of debugging on the console by changing the log4j.appender.Console.Threshold attribute in your log4j.properties file (found in the ..\conf\catalina directory). This will let you know if is a file not found or security exception being thrown.

                2) Make sure your roles.properties and users.properties are in you ..\conf\catalina directory

                HTH,

                TC

                • 5. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                  Thomas Clouser Newbie

                  1. should've been

                  kick up the level of debugging on the console by changing the log4j.appender.Console.Threshold attribute in your log4j.properties file (found in the ..\conf\catalina directory) from INFO to DEBUG. This will let you know if is a file not found or security exception being thrown.

                  • 6. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                    Benjamin Chi Newbie

                    I followed the two steps you described. The server printed out more info, but when I logon unsuccessfully, the server didn't throw any exceptions. No exception was thrown when I deleted the user.properties and roles.properties, and restarted the server to test.

                    Were you able to get this to work? This is really odd.
                    Thanks,
                    Benjamin

                    • 7. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                      Benjamin Chi Newbie

                      When I change the auth-method from DIGEST to BASIC, I get this exception when I login unsuccessfuly:
                      ================================================
                      [ERROR,JBossSecurityMgrRealm] Error during authenticate
                      java.lang.IllegalArgumentException: interface javax.naming.Context is not visible from class loader
                      at java.lang.reflect.Proxy.getProxyClass(Proxy.java:334)
                      at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:555)
                      at org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory.getObjectInstance(JaasSecur
                      ityManagerService.java:303)
                      at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
                      at javax.naming.spi.NamingManager.getContext(NamingManager.java:422)
                      at javax.naming.spi.ContinuationContext.getTargetContext(ContinuationContext.java:38)
                      at javax.naming.spi.NamingManager.getContinuationContext(NamingManager.java:766)
                      at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:456)
                      at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:333)
                      at javax.naming.InitialContext.lookup(InitialContext.java:350)
                      at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:421)
                      at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:333)
                      at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:248)
                      at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161)
                      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
                      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                      at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
                      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                      at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
                      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
                      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
                      at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
                      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
                      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
                      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
                      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                      at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
                      at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
                      at java.lang.Thread.run(Thread.java:484)
                      ==============================================

                      Do I need to change anything else?

                      • 8. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                        Thomas Clouser Newbie

                        bchi49,

                        I just tested both DIGEST and BASIC and they both FAILED. I am using FORM based authentication in the app I am currently working on, and it works fine with UsersRolesLoginModule.

                        TC

                        • 9. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                          Benjamin Chi Newbie

                          Can you show me or lead me to what I need in the login form to submit for authentication, so that it would use the information on users.properties and roles.properties.

                          Where do I submit to? what fields are needed(uid&pwd)? do I need configure additional things like auth.conf etc.

                          Or on the submitted page, I need to update some context information.

                          Thanks,
                          Benjamin

                          • 10. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                            Thomas Clouser Newbie

                            bchi49,

                            There is great article on FORM based authentication at:

                            http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

                            It should get you started in putting together the form for form based authentication.

                            Note: The only major changes you will have to make is to the <login-config> element in your web.xml (after you have a form created that is).

                            HTH,

                            TC

                            • 11. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                              Benjamin Chi Newbie

                              Thanks! That was very helpful. I got it implemented, but now it's throwing the same exception when I was using the "BASIC" auth-method. Here's the exception:
                              ========================================
                              [ERROR,JBossSecurityMgrRealm] Error during authenticate
                              java.lang.IllegalArgumentException: interface javax.naming.Context is not visible from class loader
                              at java.lang.reflect.Proxy.getProxyClass(Proxy.java:334)
                              at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:555)
                              at org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory.getObjectInstance(JaasSec
                              ityManagerService.java:303)
                              at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
                              at javax.naming.spi.NamingManager.getContext(NamingManager.java:422)
                              at javax.naming.spi.ContinuationContext.getTargetContext(ContinuationContext.java:38)
                              at javax.naming.spi.NamingManager.getContinuationContext(NamingManager.java:766)
                              at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:456)
                              at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:333)
                              at javax.naming.InitialContext.lookup(InitialContext.java:350)
                              at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:421)
                              at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:333)
                              at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:248)
                              at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:263)
                              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:459)
                              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                              at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
                              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                              at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                              at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
                              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
                              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
                              at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
                              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
                              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
                              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                              at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
                              at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
                              at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
                              at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
                              at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
                              at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
                              at java.lang.Thread.run(Thread.java:484)
                              [INFO,EmbeddedCatalinaServiceSX] jsp: init
                              [INFO,EmbeddedCatalinaServiceSX] jsp: init
                              [INFO,EmbeddedCatalinaServiceSX] jsp: init
                              [INFO,EmbeddedCatalinaServiceSX] jsp: init
                              =================================================

                              But if I use the sample application in the tutorial, I can type in anything as username/pwd and it works, it seems like it's not authenticating.

                              • 12. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                                Thomas Clouser Newbie

                                Hopefully this isn't the case...but does your roles.properties really contain:

                                test,Admin

                                it should be

                                test=Admin

                                TC

                                • 13. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                                  Benjamin Chi Newbie

                                  Yes! I found the problem.

                                  I had
                                  roles.properties:
                                  ======================================
                                  bchi,admin
                                  ======================================

                                  but it should be "bchi=admin" not the comma.

                                  I also added the WEB-INF/jboss-web.xml:
                                  ====================================
                                  <?xml version="1.0"?>
                                  <jboss-web>
                                  <security-domain>java:/jaas/eCommerce</security-domain>
                                  </jboss-web>
                                  ====================================


                                  Thanks!

                                  Now, I need to figure out why I'm getting the exceptions above on my web app.

                                  Thanks for your help. It was very helpful!
                                  Benjamin

                                  • 14. Re: HowTo?:JBoss 2.4.4 + Tomcat-Catalina 4.0.1 Application S
                                    Benjamin Chi Newbie

                                    I was a bit late reading your previous. Yes that was the problem. :) thanks again!

                                    1 2 Previous Next