8 Replies Latest reply on Apr 1, 2003 2:16 AM by Mick Knutson

    Issue with FORM security with Web and EJB tier.

    Mick Knutson Newbie

      I am using JB 3.0.6 on NT, MySql, Struts, as well as EJB's generated with XDoclet.

      I have been searching the forums here and the net to figure out the DatabaseServerLoginModule issue I have for 2 weeks now. So I decided to finaly post:
      I have attached what I think are a zip file of all the relavant files to my issue.
      I have secured home.jsp and when I try to access home.jsp, I get the FORM page and I am able to login with the form. But, no matter what values I put in, I am _always_ authorized on the first request. Even if the data is "khsfhsdfsdhfsf": "ytytyytytt" for example.

      Then I go to home.jsp which doesn't really interact with anything. I have a filter checking the request for a Principal, and I have one, but only on the FORM submission. Then I stick it into session, but it is gone from subsequent request.

      Then, I try updating my account details with account.do.
      I first tried to set <action role="user" ... /> in struts-config.xml as I ony want users to access this action.
      I _always_ get a 400 error that I am unable to access this page. When I take the role="user" out, I then get a permissions exception in the UserManager bean. Just like many people here have posted about.

      Well, I need to be able to secure actions, and EJB's and want to use as much of the container(s) security as possible, so I would like to use j_security_check, but I also need to get the users name for performing the userAccoutDetails query where user=principalUserName.

      I think I am just missing something small that is keeping me from tieing this together

        • 2. Re: Issue with FORM security with Web and EJB tier.
          Mick Knutson Newbie

          After another week of searching for the root issue, I am still no closer to solving this, but incredibly upset at all the lost time I have spent on this.

          I am using Jbos 3.0.6 on NT 4.0 SP6 with MySql.

          No matter what I do, you can type username: "heapsOfCrap" and password: "meaninglessCharacters" and _always_ get authenticated, "user", and "admin" role assigned.

          I would be very appreciative if someone can take 5 minutes to help me solve this issue that I have spent 50+ hours on.

          Thanks in advance...

          • 3. Re: Issue with FORM security with Web and EJB tier.
            Peter Doornbosch Apprentice


            There is no jboss-web.xml file in your zip. This is necessary to connect to jboss security. It should have the following contents:


            • 4. Re: Issue with FORM security with Web and EJB tier.
              Peter Doornbosch Apprentice

              And put it in the WEB-INF directory of your war of course ;-)

              • 5. Re: Issue with FORM security with Web and EJB tier.
                Mick Knutson Newbie

                Thank you soooooo much!
                I do have an additional question:
                I use XDoclet for all my other jboss*.xml file generation.

                is the security domain the only thing I need in jboss-web.xml?
                XDoclet will generate that file for me fairly easily with the security domain, but I have not used that file thusfar, s do not know what else needs, or can go into it.

                • 6. Re: Issue with FORM security with Web and EJB tier.
                  Peter Doornbosch Apprentice

                  Well, that depends of course. The jboss-web.xml lets you map resource and ejb refs and can be used for specifying context root (although that should preferably go in the application.xml in the .ear) and virtual hosts. But you can do without it; the security domain is the most important (and probably the most used ;-) property in this file.
                  Refer to /docs/dtd/jboss-web_3_0.dtd for a complete description.


                  • 7. Re: Issue with FORM security with Web and EJB tier.
                    Mick Knutson Newbie

                    OK, I just got finished with my sidetrack, and tried this out. Here is what I found:
                    I added jboss-web.xml with my realm. If I logon with username: "junk", password: "junk", I get directed to /error.jsp like I was expecting. However, when I put password: "mick", password: "myPassword", I get a 403 NOT AUTHORIZED error _every_ time.

                    I have 2 rows in the USER_ROLES table:
                    username: "mick", role: "user", group: "user"
                    username: "mick", role: "admin", group: "user"

                    When I remove the jboss-web.xml, I can logon with username "mick", but j_subject=null in the debug messages, and this gives me a security violation when creating a Session EJB.

                    The security error I get with jboss-web.xml removed, and trying to create a Session Bean:

                    07:44:19,378 ERROR [SecurityInterceptor] Insufficient method permissions, principal=mknutson,
                    method=create, interface=HOME,
                    requiredRoles=[], principalRoles=null
                    07:44:19,398 ERROR [LogInterceptor] EJBException, causedBy:
                    java.lang.SecurityException: Insufficient method permissions, principal=mknutson,
                    method=create, interface=HOME, requiredRole
                    s=[], principalRoles=null
                    at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:228)
                    at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94)
                    at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129)
                    at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300)
                    at org.jboss.ejb.Container.invoke(Container.java:730)
                    at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:517)
                    at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98)
                    at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102)
                    at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:77)
                    at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:80)
                    at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:198)
                    at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76)
                    at $Proxy35.create(Unknown Source)
                    at com.baselogic.yoursos.delegates.UserServicesDelegate.(UserServicesDelegate.java:36)
                    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
                    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
                    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
                    at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
                    at java.lang.Class.newInstance0(Class.java:306)
                    at java.lang.Class.newInstance(Class.java:259)
                    at com.baselogic.yoursos.delegates.ServicesFactory.createUserServices(ServicesFactory.java:33)
                    at com.baselogic.yoursos.struts.BaseDispatchAction.getUserService(BaseDispatchAction.java:43)
                    at com.baselogic.yoursos.user.ProfileActions.defaultMethod(ProfileActions.java:79)
                    at com.baselogic.yoursos.struts.BaseDispatchAction.unspecified(BaseDispatchAction.java:179)
                    at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:260)
                    at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:216)
                    at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:480)
                    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
                    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1420)
                    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:502)
                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                    at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:360)
                    at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicationHandler.java:328)
                    at com.baselogic.yoursos.security.SecurityContextFilter.doFilter(SecurityContextFilter.java:99)
                    at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicationHandler.java:320)
                    at com.baselogic.yoursos.user.UserPreferenceFilter.doFilter(UserPreferenceFilter.java:50)
                    at org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebApplicationHandler.java:320)
                    at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler.java:272)
                    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:553)
                    at org.mortbay.http.HttpContext.handle(HttpContext.java:1717)
                    at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.java:549)
                    at org.mortbay.http.HttpContext.handle(HttpContext.java:1667)
                    at org.mortbay.http.HttpServer.service(HttpServer.java:862)
                    at org.jboss.jetty.Jetty.service(Jetty.java:497)
                    at org.mortbay.http.HttpConnection.service(HttpConnection.java:759)
                    at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:923)
                    at org.mortbay.http.HttpConnection.handle(HttpConnection.java:776)
                    at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:202)
                    at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:289)
                    at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:455)