1 Reply Latest reply on Mar 22, 2003 7:34 AM by nicut

SRP cache problem?

nicut Mar 20, 2003 10:38 AM

Hello, all

I`m using the SRP login module with a DatabaseVerifierStore.
It`s working just fine on my first login, but on the second login, after I did a logout or not,
I have some problems.

I tested my login module on Jboss 3.0.6 and 3.2.0 but the problem seems to be the same.

Here are some logs from my JBoss 3.0.6 log file for the case when I don`t perform a logout:

On my first login :
TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=0}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=0}

On the second login:
TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=1}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
...
2003-03-20 15:37:17,542 DEBUG [org.jboss.security.plugins.JaasSecurityManager.srp-login] Login failure
javax.security.auth.login.LoginException: Failed to validate SRP session key for: {username=nicut, sessionID=0}
at org.jboss.security.srp.jaas.SRPCacheLoginModule.login(SRPCacheLoginModule.java:131)
...
ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nicut
ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=nicut
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)

I don`t know why JBoss validates the session key for {username=nicut, sessionID=0} when actually my current session key
is {username=nicut, sessionID=1}.

Here are some logs from my JBoss 3.0.6 log file for the case when I do perform a logout:

On my first login:

TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=0}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=0}

On the second login:

TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=1}
TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
...
DEBUG [org.jboss.security.plugins.JaasSecurityManager.srp-login] Login failure
javax.security.auth.login.LoginException: No SRP session found for: {username=nicut, sessionID=0}
at org.jboss.security.srp.jaas.SRPCacheLoginModule.login(SRPCacheLoginModule.java:121)
...
ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nicut
ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=nicut
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)

On this case JBoss looks for the session {username=nicut, sessionID=0} when the current session key is
{username=nicut, sessionID=1}.

If it is a known problem, or if I did something wrong please let me know.

I do have one idea why this happens but I`m not 100% sure:

JBoss caches the authenticated user as a SimplePrincipal instead of a SRPPrincipal so then when it is looking
for the current session the JBoss 3.0.6 (SRPCacheLoginModule.java: line 109) do this:

if( userPrincipal instanceof SRPPrincipal )
{
SRPPrincipal srpPrincpal = (SRPPrincipal) userPrincipal;
key = new SRPSessionKey(username, srpPrincpal.getSessionID());
}
else
{
key = new SRPSessionKey(username); // the computed key for this is {username=username, sessionID=0}
}

Actually I verified this. In all my cases the userPrincipal is an org.jboss.security.SimplePrincipal object.

Any idea will be appreciated.

1. Re: SRP cache problem?

nicut Mar 22, 2003 7:34 AM (in response to nicut)

Hello all,

I can say that I solved this problem, but now I have another one.

The cause of my headache was:

Do not use on the client side the SRPLoginModule with the ClientLoginModule with JBoss 3.0.6 or 3.2.0. A better
practice is to modify the SRPLoginModule by adding the following lines:

SecurityAssociation.setServer();// this only if each separate thread must perform its own login.
SecurityAssociation.setPrincipal(new SRPPrincipal(username, sessionID));
SecurityAssociation.setCredential(credential);
SecurityAssociation.setSubject(subject);

This lines binds the username and the session id into the JBoss, and so all the ejb calls will
be handled for the current session.

Anyway right now I have another problem:

My first login works just fine. On the second login, all the authentications work just fine, but
the user roles seem to be null. This is curious becose my server login module maps well the user
roles.

On my second login:

2003-03-22 14:28:17,973 TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
...
TRACE [org.jboss.security.plugins.JaasSecurityManager.srp-login] updateCache, subject=Subject:
Principal: nicut
Principal: Roles
Public Credential: [B@1c2ec05
Private Credential: org.jboss.security.srp.SRPParameters@9c9bfc91
Private Credential: [B@17d03c5
2003-03-22 14:28:18,104 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=nicut, method=create, interface=HOME, requiredRoles=[Administrator], principalRoles=null
2003-03-22 14:28:18,104 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=nicut, method=create, interface=HOME, requiredRoles=[Administrator], principalRoles=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:228)
Actions