1 Reply Latest reply on Mar 22, 2003 7:34 AM by Nicolae Tabusca

    SRP cache problem?

    Nicolae Tabusca Newbie

      Hello, all

      I`m using the SRP login module with a DatabaseVerifierStore.
      It`s working just fine on my first login, but on the second login, after I did a logout or not,
      I have some problems.

      I tested my login module on Jboss 3.0.6 and 3.2.0 but the problem seems to be the same.

      Here are some logs from my JBoss 3.0.6 log file for the case when I don`t perform a logout:

      On my first login :
      TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=0}
      TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=0}

      On the second login:
      TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=1}
      TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
      ...
      2003-03-20 15:37:17,542 DEBUG [org.jboss.security.plugins.JaasSecurityManager.srp-login] Login failure
      javax.security.auth.login.LoginException: Failed to validate SRP session key for: {username=nicut, sessionID=0}
      at org.jboss.security.srp.jaas.SRPCacheLoginModule.login(SRPCacheLoginModule.java:131)
      ...
      ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nicut
      ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Authentication exception, principal=nicut
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)

      I don`t know why JBoss validates the session key for {username=nicut, sessionID=0} when actually my current session key
      is {username=nicut, sessionID=1}.

      Here are some logs from my JBoss 3.0.6 log file for the case when I do perform a logout:

      On my first login:

      TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=0}
      TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=0}

      On the second login:

      TRACE [org.jboss.security.srp.SRPService] Cached SRP session for user={username=nicut, sessionID=1}
      TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
      ...
      DEBUG [org.jboss.security.plugins.JaasSecurityManager.srp-login] Login failure
      javax.security.auth.login.LoginException: No SRP session found for: {username=nicut, sessionID=0}
      at org.jboss.security.srp.jaas.SRPCacheLoginModule.login(SRPCacheLoginModule.java:121)
      ...
      ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nicut
      ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Authentication exception, principal=nicut
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)

      On this case JBoss looks for the session {username=nicut, sessionID=0} when the current session key is
      {username=nicut, sessionID=1}.

      If it is a known problem, or if I did something wrong please let me know.

      I do have one idea why this happens but I`m not 100% sure:

      JBoss caches the authenticated user as a SimplePrincipal instead of a SRPPrincipal so then when it is looking
      for the current session the JBoss 3.0.6 (SRPCacheLoginModule.java: line 109) do this:

      if( userPrincipal instanceof SRPPrincipal )
      {
      SRPPrincipal srpPrincpal = (SRPPrincipal) userPrincipal;
      key = new SRPSessionKey(username, srpPrincpal.getSessionID());
      }
      else
      {
      key = new SRPSessionKey(username); // the computed key for this is {username=username, sessionID=0}
      }

      Actually I verified this. In all my cases the userPrincipal is an org.jboss.security.SimplePrincipal object.

      Any idea will be appreciated.

        • 1. Re: SRP cache problem?
          Nicolae Tabusca Newbie

          Hello all,

          I can say that I solved this problem, but now I have another one.

          The cause of my headache was:

          Do not use on the client side the SRPLoginModule with the ClientLoginModule with JBoss 3.0.6 or 3.2.0. A better
          practice is to modify the SRPLoginModule by adding the following lines:

          SecurityAssociation.setServer();// this only if each separate thread must perform its own login.
          SecurityAssociation.setPrincipal(new SRPPrincipal(username, sessionID));
          SecurityAssociation.setCredential(credential);
          SecurityAssociation.setSubject(subject);

          This lines binds the username and the session id into the JBoss, and so all the ejb calls will
          be handled for the current session.

          Anyway right now I have another problem:

          My first login works just fine. On the second login, all the authentications work just fine, but
          the user roles seem to be null. This is curious becose my server login module maps well the user
          roles.

          On my second login:

          2003-03-22 14:28:17,973 TRACE [org.jboss.security.srp.SRPRemoteServer] verify, completed {username=nicut, sessionID=1}
          ...
          TRACE [org.jboss.security.plugins.JaasSecurityManager.srp-login] updateCache, subject=Subject:
          Principal: nicut
          Principal: Roles
          Public Credential: [B@1c2ec05
          Private Credential: org.jboss.security.srp.SRPParameters@9c9bfc91
          Private Credential: [B@17d03c5
          2003-03-22 14:28:18,104 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=nicut, method=create, interface=HOME, requiredRoles=[Administrator], principalRoles=null
          2003-03-22 14:28:18,104 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
          java.lang.SecurityException: Insufficient method permissions, principal=nicut, method=create, interface=HOME, requiredRoles=[Administrator], principalRoles=null
          at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:228)