7 Replies Latest reply on Oct 24, 2002 12:41 AM by lost_in_mass

    JBoss and JAAS - a nightmare & time waster !

    Shane Newbie

      Hi

      We have been struggling with JBoss and JAAS for 2 weeks now, with no success. It is incredibly frustrating and stressful.

      We are trying to convert and exsisting web application from Weblogic 6.x to JBoss 3.0.3.
      We are having problems configuring the security. We are ultimately wanting to use DatabaseServerLoginModule.

      Problem No. 1
      When we set up JBoss to use JAAS and DatabaseServerLoginModule (Sybase), and then try to deploy, the deployment fails on every bean with principal=null message. Then when we try to login from a jsp using j_security_check the same message occurs - principal=null. Here are the xml files.

      login-config.xml
      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">


      <application-policy name = "client-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "FirebirdDBRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sysdba</module-option>
      <module-option name = "userName">sysdba</module-option>
      <module-option name = "password">masterkey</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "JmsXARealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "jmx-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      <application-policy name = "SybaseRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name="dsJndiName">java:/jdbc/ProofDS</module-option>
      <module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
      <module-option name="rolesQuery">select RoleName, RoleGroup from Roles where PrincipalID=?</module-option>
      </login-module>

      </application-policy>


      <application-policy name = "other">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>



      sybase-service.xml
      <?xml version="1.0" encoding="UTF-8"?>

      <!-- ===================================================================== -->
      <!-- -->
      <!-- JBoss Server Configuration -->
      <!-- -->
      <!-- ===================================================================== -->



      <!-- ======================================================================-->
      <!-- New ConnectionManager setup for Sybase ASE/ASA jConnect driver -->
      <!-- Thanks to Marc Zampetti <zampetti@aol.net> -->
      <!-- Build jmx-api (build/build.sh all) and view for config documentation -->
      <!-- ===================================================================== -->



      <application-policy name = "SybaseRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name="dsJndiName">java:/jdbc/ProofDS</module-option>
      <module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
      <module-option name="rolesQuery">select RoleName, RoleGroup from Roles where PrincipalID=?</module-option>
      </login-module>

      </application-policy>

      SybaseRealm

      <depends optional-attribute-name="ManagedConnectionFactoryName">
      <!--embedded mbean-->


      jdbc/ProofDS



      <config-property name="ConnectionURL" type="java.lang.String">jdbc:sybase:Tds:DBMS52:5000/Proof?JCONNECT_VERSION=6</config-property>
      <config-property name="DriverClass" type="java.lang.String">com.sybase.jdbc2.jdbc.SybDriver</config-property>
      <config-property name="UserName" type="java.lang.String">proof</config-property>
      <config-property name="Password" type="java.lang.String">password1</config-property>



      <!--Below here are advanced properties -->
      <!--hack-->
      <depends optional-attribute-name="OldRarDeployment">jboss.jca:service=RARDeployment,name=JBoss LocalTransaction JDBC Wrapper



      <depends optional-attribute-name="ManagedConnectionPool">
      <!--embedded mbean-->

      0
      10
      5000
      15
      ByContainer



      <depends optional-attribute-name="CachedConnectionManager">jboss.jca:service=CachedConnectionManager

      <depends optional-attribute-name="JaasSecurityManagerService">jboss.security:service=JaasSecurityManager

      java:/TransactionManager

      <!--make the rar deploy! hack till better deployment-->
      jboss.jca:service=RARDeployer





      What are we doing wrong?

      Problem No. 2
      After not getting DatabaseServerLoginModule, we tried the 'simple' UsersRolesLoginModule. With this, our deployment works, and we can successfully login via j_security_check and go to our first jsp - after that when we try to access subsequent jsp's, we get security exceptions - principal = null and password = null. How do the credentials get get "passed on" or cached? What are we doing wrong?

      Any help would be greatly appreciated - we have gone through all documentation and most of the posts on the forums without success.

        • 1. Re: JBoss and JAAS - a nightmare & time waster !
          Wouter Beheydt Newbie

          Shane,

          You define a security realm (SybaseRealm) to access your ProofDS which contains the user and role data.

          In order to get the user info, you have to access the database. And in order to access the database, you have to authenticate using the user info. I think that's why the UsersRolesLoginModule works and the DatabaseServerLoginModule doesn't.

          There are several solutions. The most obvious one is to replace the security realm for DB access with a username and password representing the application server as a DB user. I'm not familiar with sybase settings but I suppose you could comment out the element <application-policy name = "SybaseRealm"> in sybase-service and keep "proof" and "password1" as username and password.

          Hope this helps,
          Wouter

          • 2. Re: JBoss and JAAS - a nightmare & time waster !
            Wouter Beheydt Newbie

            Sorry, forgot to answer the second question.

            I'm not sure what's causing this but it is important that you specify the correct realm-name in the login-config element of your web.xml and the correct security-domain in jboss-web.xml

            I suppose you put something like "SybaseRealm" in your web config files but kept the name "other" in login-config ?

            • 3. Re: JBoss and JAAS - a nightmare & time waster !
              James Moring Newbie

              Try removing the application-policy element from the sybase-service.xml. This is used for getting credentials for use as the login and password for the given database connection. You are specifying the login and password explicitly in the ManagedConnectionFactoryProperties element. It would'nt work anyways as the policy uses the same datasource to get credentials as it is trying to provide credential for.

              HTH

              • 4. Re: JBoss and JAAS !
                Shane Newbie

                Thanks for your posts! The problem with the DatabaseServerLoginModule was in the sybase-service.xml file. I commented out this line :-
                MySqlDbRealm

                This solved the problems !

                • 5. Re: JBoss and JAAS - a nightmare & time waster !
                  Lewis Henderson Novice

                  wouter,

                  Above you said that it is important to specify the correct 'realm-name' in the <login-config>. Why...and what does this relate to?

                  The entries in the login-config.xml / auth.conf are 'domain' entries that must match the value specified in the jboss-web.xml (else 'other' will be used).

                  What is the significance of the <realm-name> entry in the <login-config> section?


                  Lewis

                  • 6. Re: JBoss and JAAS - a nightmare & time waster !
                    Mike Pettit Newbie

                    I agree with the nightmare part. Documentation is pretty thin and the source code only helps so much. I am doing things in a pretty standard JAAS way and still getting numerous problems (i.e.: principal=null in EJB)

                    • 7. Re: JBoss and JAAS - a nightmare & time waster !
                      lost_in_mass Newbie

                      Hello All

                      After reading thousands of forum posts and the documentation on jaas I am still lost and cant get the pretty standard thing working for me. This has started me to document this whole thing in a little better way and I am starting a new task to do this. If you all can solve this problem, can you please share your knowledge with us too. I have posted a similar post yesterday. I intend to create a one stop help for most common problem with source and screen shot.

                      Thanks
                      LMS