3 Replies Latest reply on Apr 9, 2003 4:12 AM by Peter Doornbosch

    EXTREMELY URGENT: JBoss JAAS/Container Security issue

    Mick Knutson Newbie

      I have been fighting with the JBoss DatabaseServerLoginModule for almost 2 months now without success.
      I have tried an infinite number of combinations to try to get to a _SIMPLE_ solution as outlined by the JBoss manual, the JAAS article in JavaWorld, and hundreds of documents and examples from all over the internet.

      Well, I just don't have anymore time to waste as my deadline is now 48 hours away!
      I desperately need help:

      1. Find someone to offer some help to resolve this by Friday.
      2. Direct me somewhere to find the help I need
      3. Tell who would be willing to have me hire them for the help I need.

      Here is my current situation:
      I am using JBoss 3.0.6 with Catalina on NT 4.0, MySql, XDoclet 1.2, Struts 1.1rc1, JDK 1.4.
      I create a beans.jar, common.jar, app.war and package everything into app.ear. The only things that are not in my EAR are the mysql-service.xml, auth.conf, login-config.xml, and server.policy which reside in the $JBOSS_HOME\server\default\conf and the $JBOSS_HOME\server\default\deploy directories.
      I also attached all the above file in a zip file here in this message.

      I have the DatabaseServerLoginModule configured and it seems to be operating, but not correctly.
      When I try to access a page under /private/* I get forwarded to /logon.jsp correctly.

      My MySql Database has 2 tables:
      TABLE_USER: columns: username, password
      TABLE_USER_ROLES: columns: username, user_roles, user_group

      TABLE_USER: data: "mick", "mickPassword"
      TABLE_USER_ROLES: data1: "mick", "user", "user"
      TABLE_USER_ROLES: data2: "mick", "admin", "admin"

      I then type in j_username: "mick", j_password: "mickPassword" and click ENTER.
      I seem to be logged in successfully as the console shows that I have 3 Principals: "mick", "user", "admin" and when I attempt to navigate to pages in the private area that do not require EJB access, I continue to see that my Principal is kept successfully through each page. So I do _not_ currently have the Principal=null issue.
      I do however have a UserPreferenceFilter that I check if the user is in role "user", "admin", or "guest" and all 3 come up as "NO".

      Also, when I attempt to access a page that goes to my EJB layer, I get a Security violation error that states user must belong to [] role. But I have added a "run-as = InternalUser" for all my EJB's so far. But that does not seem to work. When I remove the "run-as=InternalUser", I get a Security Violation that states the user must belong to the role I specified.

      So it seems that my main 2 issues are getting the Roles to stick to the user when they login, and the EJB's to be able to use the user Roles, or the "run-as=InternalUser"



      -------------------------
      Thank You
      Mick Knutson
      -------------------------