3 Replies Latest reply on Sep 13, 2002 3:27 AM by wweiqian

    FORM login SecurityDomain jboss-web.xml principal=null

    Bernhard Hurzeler Novice

      Hello there,

      I need your help with the configuration of Web/EJB authorization and authentication.

      This is kind of my last resort. I have read most of the articles in the jboss forum and docs as well as the javaworld articles on JBossSX and I still can't work out why my setup does not work.

      So please, please help me...

      I am running JBoss3.0.1 with Jetty on java1.3.1_04 with Postgres (postgresql-7.1.3-2) and a DatabaseLoginModule

      Q1) Is the following login-config.xml correct? Do the managedConnectionFactoryName of ConfiguredIdentityLoginModule and DatabaseServerLoginModule have to be identical?

      Q2) a) What is the <module-option name="principal">TimeTagPrincipal</module-option> used for? b) Does the actual name matter? c) Does the principal of ConfiguredIdentityLoginModule and DatabaseServerLoginModule have to be identical as well?

      I have two login modules configured in login-config.xml
      -------------------------------------------------------
      <application-policy name = "PostgresDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name="principal">TimeTagPrincipal</module-option>
      <module-option name="userName">postgres</module-option>
      <module-option name="password">postgres</module-option>
      <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=PostgresDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "TimeTagDomain">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name="dsJndiName">java:/PostgresDS</module-option>
      <module-option name="principal">TimeTagPrincipal</module-option>
      <module-option name="principalsQuery">select password from principals where principalid = ?</module-option>
      <module-option name="rolesQuery">select role, rolegroup from roles where principalid = ?</module-option>
      <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=PostgresDS</module-option>
      <module-option name="unauthenticatedIdentity">nobody</module-option>
      </login-module>

      </application-policy>
      ---------------------------------------------------------

      If I use PostgresDbRealm in web.xml and don't set the security domain in jboss-web.xml (is not even in war) and the security domain is not set in jboss.xml then the Jetty authentication works the user is authenticated and the role is also correctly retrieved. See debugs a little further down.

      web.xml
      ---------------------------------------------------------
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Secure Content</web-resource-name>
      Security Constraint
      <url-pattern>/admin/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Administrator</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>PostgresDbRealm</realm-name>
      <form-login-config>
      <form-login-page>/login/login.jsp</form-login-page>
      <form-error-page>/login/error.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <role-name>Administrator</role-name>
      </security-role>

      <ejb-ref>
      A test reference to the HelloWorld EJB
      <ejb-ref-name>HelloWorld</ejb-ref-name>
      <ejb-ref-type>Session</ejb-ref-type>
      com.timeTag.interfaces.HelloWorldHome
      com.timeTag.interfaces.HelloWorld
      <ejb-link>HelloWorld</ejb-link>
      </ejb-ref>

      </web-app>
      ---------------------------------------------------------

      Q3) In the web.xml when do I need to reference the SessionBean with <ejb-ref>?

      debugs of successful authentication:
      ---------------------------------------------------------
      16:41:15,494 INFO [Server] JBoss (MX MicroKernel) [3.0.1 Date:200208062340] Started in 0m:32s:306ms
      16:43:47,653 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler
      16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] created JBossUserRealm::JBossUserPrincipal: hurzeler
      16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
      16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
      16:43:47,663 DEBUG [JBossUserRealm#PostgresDbRealm] setting JAAS subjectAttributeName(j_subject) : null
      16:43:47,683 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
      16:43:47,683 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
      16:43:47,683 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler is in Role: Administrator
      ------------------------------------------------------

      Ok JBossUserRealm has recognized my user as hurzeler in the role of Administrator and Jetty lets me access the restricted area.

      Q4) Now here comes the part I do not understand:
      If I set the security domain in jboss-web.xml and jboss.xml to PostgresDbRealm my user is not recognized to be in the role Administrator. Why?

      The error I get is:
      ---------------------------------------------------------
      16:53:56,058 INFO [Server] JBoss (MX MicroKernel) [3.0.1 Date:200208062340] Started in 0m:28s:701ms
      16:54:13,313 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler
      16:54:13,323 DEBUG [JBossUserRealm#PostgresDbRealm] created JBossUserRealm::JBossUserPrincipal: hurzeler
      16:54:13,323 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
      16:54:13,333 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
      16:54:13,343 DEBUG [JBossUserRealm#PostgresDbRealm] setting JAAS subjectAttributeName(j_subject) : Subject:
      Principal: TimeTagPrincipal
      Private Credential: javax.resource.spi.security.PasswordCredential@40000
      000
      16:54:13,353 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
      16:54:13,353 DEBUG [JBossUserRealm#PostgresDbRealm] authenticated: hurzeler
      16:54:13,353 DEBUG [JBossUserRealm#PostgresDbRealm] JBossUserPrincipal: hurzeler is NOT in Role: Administrator
      16:54:13,363 WARN [jbossweb] WARNING: AUTH FAILURE: role for hurzeler
      ---------------------------------------------------------

      Obviously Jetty now complains with:
      HTTP ERROR: 403 User not in required role
      RequestURI=/timeTag/admin/index.jsp

      Now here is the interesting bit:
      If I set the security domain in jboss-web.xml and jboss.xml to TimeTagDomain I get properly authenticated and the users role is set to Administrator. What strikes me is that the authentication seems to work and the setting of the subject and the retrieval of the role works as well but the principal does not get propagated to JBoss.

      Q5) Further I think according to the docs the security domain in web.xml, jboss-web.xml and jboss.xml should be PostgresDbRealm. Is this correct or should the security domains be as described above?

      debugs with above settings when I go to my secure stateless session bean after I logged in:
      ---------------------------------------------------------
      16:02:23,461 INFO [Server] JBoss (MX MicroKernel) [3.0.1 Date:200208062340] Started in 0m:36s:793ms
      16:02:44,071 DEBUG [JBossUserRealm#PostgresDbRealm]JBossUserPrincipal: hurzeler
      16:02:44,081 DEBUG [JBossUserRealm#PostgresDbRealm] created JBossUserRealm::JBossUserPrincipal: hurzeler
      16:02:44,091 DEBUG [JBossUserRealm#PostgresDbRealm] authenticating: Name:hurzeler Password:****
      16:02:44,181 DEBUG [JBossUserRealm#PostgresDbRealm]authenticated: hurzeler
      16:02:44,181 DEBUG [JBossUserRealm#PostgresDbRealm]setting JAAS subjectAttributeName(j_subject) : Subject:
      Principal: hurzeler
      Principal: Roles
      Principal: CallerPrincipal

      16:02:44,201 DEBUG [JBossUserRealm#PostgresDbRealm]authenticating: Name:hurzeler Password:****
      16:02:44,201 DEBUG [JBossUserRealm#PostgresDbRealm]authenticated: hurzeler
      16:02:44,211 DEBUG [JBossUserRealm#PostgresDbRealm]JBossUserPrincipal: hurzeler is in Role: Administrator
      16:02:51,131 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[AuthorizedUser, Administ
      rator
      ], principalRoles=null
      ----------------------------------------------------------

      Q6) It seem to me that the security settings in ejb-jar.xml have no bearing on the behaviour if the principal=null. Is this correct?

      Q7) Why is the principal=null?

      I also attach the ejb-jar.xml security constraints for my statless session bean (HelloWorld)

      ejb-jar.xml (Note: <assembly-descriptor > sits inside <ejb-jar>
      ----------------------------------------------------------
      <assembly-descriptor >
      <security-role>
      <role-name>AuthorizedUser</role-name>
      </security-role>
      <security-role>
      <role-name>Administrator</role-name>
      </security-role>
      <security-role>
      <role-name>User</role-name>
      </security-role>

      <method-permission >
      <role-name>AuthorizedUser</role-name>
      <role-name>Administrator</role-name>

      <ejb-name>HelloWorld</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      </assembly-descriptor>
      ---------------------------------------------------------

      I must obviously be a bit thick but all this is a bit a mistery to me.

      Q9) Can someone explain to me what the exact function of ConfiguredIdentityLoginModule is and how it interplays with DatabaseServerLoginModule.

      Please help. I am desperate... :-(

      Thanks Bernie
      ICM Engineering Pty Ltd