2 Replies Latest reply on Apr 14, 2003 7:00 PM by stevecoh1

    JASS/JBoss not performing as expected

    stevecoh1 Newbie

      I have the following scenario: I have a login module based on the database which is based on must-change-password on first login semantics. The user when first created is given a default password which is only good for the first login.

      There are two webapps on the same server. Each uses this same scheme.

      To best explain this, I am going to put intervening comments inside a log file fragment. My comments are preceded with two dashes.


      --package newly deployed.
      2003-04-14 16:26:03,932 DEBUG [org.jboss.deployment.MainDeployer] End deployment start on package: jboss-service.xml
      2003-04-14 16:26:03,933 INFO [org.jboss.deployment.MainDeployer] Deployed package: file:/usr/local/jboss-3.0.6-src/build/output/jboss-3.0.6/server/default/conf/jboss-service.xml
      2003-04-14 16:26:03,940 INFO [org.jboss.system.server.Server] JBoss (MX MicroKernel) [3.0.6 (CVSTag=JBoss_3_0_6 Date=200303071139)] Started in 1m:20s:415ms

      --first login attempt by user stevec2
      2003-04-14 16:26:35,208 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2
      2003-04-14 16:26:35,222 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] created JBossUserRealm::JBossUserPrincipal: stevec2
      2003-04-14 16:26:35,238 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****

      --my login module's getUsersPassword() called
      2003-04-14 16:26:35,518 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getUsersPassword()

      --database consulted
      2003-04-14 16:26:35,619 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: registering pool with interval 900000 old interval: 9223372036854775807
      2003-04-14 16:26:35,621 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: about to notify thread: old next: 1050356045621, new next: 1050356045621
      2003-04-14 16:26:35,623 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] run: IdleRemover notifying pools, interval: 450000
      2003-04-14 16:26:35,641 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Using properties: {user=webdev, password=w3bd3v}
      2003-04-14 16:26:35,643 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Checking driver for URL: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli
      2003-04-14 16:26:35,651 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Driver not yet registered for url: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli
      2003-04-14 16:26:35,669 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Driver not yet registered for url: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli
      2003-04-14 16:26:35,693 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Driver already registered for url: jdbc:informix-sqli://10.4.18.163:8901/sport:INFORMIXSERVER=sqlsport0_tli

      --my login module's getUsersPassword() returns
      2003-04-14 16:26:37,200 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getUsersPassword() returning.

      --my login module's getRoleSets() called
      2003-04-14 16:26:37,255 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getRoleSets()

      --ANY TIME a role is added to the role set, a log message like this will be emitted by the login module. This is the only role added this time through, since this user must change his password before continuing.
      2003-04-14 16:26:37,265 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] Adding role axp.gen.chgpswd for user stevec2 to role set.
      2003-04-14 16:26:37,347 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] ISMLoginModule.getRoleSets() - User must change password.

      --getRoleSets() returns
      2003-04-14 16:26:37,354 DEBUG [com.ignitemedia.security.jboss.ISMLoginModule] getRoleSets() returning.
      2003-04-14 16:26:37,425 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2
      2003-04-14 16:26:37,428 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] setting JAAS subjectAttributeName(j_subject) : Subject(Principals{stevec2,Roles}PublicCredentials{}PrivateCredentials{count=0})
      2003-04-14 16:26:37,440 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****
      2003-04-14 16:26:37,442 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2

      --correct role report returned by system.
      2003-04-14 16:26:37,449 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is in Role: axp.gen.chgpswd
      2003-04-14 16:26:37,454 INFO [org.jboss.jbossweb] action: Processing a GET for /login/check-password
      2003-04-14 16:26:37,460 INFO [org.jboss.jbossweb] action: Setting locale 'en_US'
      2003-04-14 16:26:37,465 INFO [org.jboss.jbossweb] action: Looking for Action instance for class com.ignitemedia.access.panel.CheckChangePasswordAction
      2003-04-14 16:26:37,469 INFO [org.jboss.jbossweb] action: Double checking for Action instance already there
      2003-04-14 16:26:37,473 INFO [org.jboss.jbossweb] action: Creating new Action instance

      --here a struts forwarding mechanism is employed. If the user only has the axp.gen.chgpswd role, a change password screen is rendered. If axp.gen.user is in the role set, then the main front page of the application is displayed.
      2003-04-14 16:26:37,537 DEBUG [com.ignitemedia.access.panel.CheckChangePasswordAction] CheckChangePasswordAction() - user stevec2
      2003-04-14 16:26:37,549 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is NOT in Role: axp.gen.user
      2003-04-14 16:26:37,551 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is in Role: axp.gen.chgpswd
      2003-04-14 16:26:37,553 DEBUG [com.ignitemedia.access.panel.CheckChangePasswordAction] user must change password.
      2003-04-14 16:26:37,566 INFO [org.jboss.jbossweb] action: Processing a GET for /login/must-change-password
      2003-04-14 16:26:37,572 INFO [org.jboss.jbossweb] action: Looking for ActionForm bean under attribute 'changePasswordForm'
      2003-04-14 16:26:37,576 INFO [org.jboss.jbossweb] action: Creating new ActionForm instance of class 'com.ignitemedia.access.panel.ChangePasswordForm'
      2003-04-14 16:26:37,846 INFO [org.jboss.jbossweb] action: Storing instance under attribute 'changePasswordForm' in scope 'request'
      2003-04-14 16:26:37,851 INFO [org.jboss.jbossweb] action: Populating bean properties from this request
      2003-04-14 16:26:37,852 DEBUG [com.ignitemedia.access.panel.ChangePasswordForm] reset()
      2003-04-14 16:26:37,936 INFO [org.jboss.jbossweb] action: Validating input form properties
      2003-04-14 16:26:37,941 INFO [org.jboss.jbossweb] action: Looking for Action instance for class com.ignitemedia.access.panel.ChangePasswordAction
      2003-04-14 16:26:37,946 INFO [org.jboss.jbossweb] action: Double checking for Action instance already there
      2003-04-14 16:26:37,950 INFO [org.jboss.jbossweb] action: Creating new Action instance

      --and now the change password page is displayed.
      2003-04-14 16:26:37,993 DEBUG [com.ignitemedia.access.panel.ChangePasswordAction] ChangePasswordAction via: /login/must-change-password
      2003-04-14 16:26:38,102 DEBUG [com.ignitemedia.access.panel.ChangePasswordAction] userPrincipal from request:stevec2

      --instead of making any input on the change password page, instead the user now attempts via browser to log into other application run on this server.
      2003-04-14 16:27:03,654 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2
      2003-04-14 16:27:03,654 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] created JBossUserRealm::JBossUserPrincipal: stevec2
      2003-04-14 16:27:03,655 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****

      --since stevec2 is already recognized, no need to check password. That's okay.
      2003-04-14 16:27:03,655 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2
      2003-04-14 16:27:03,655 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] setting JAAS subjectAttributeName(j_subject) : null
      2003-04-14 16:27:03,664 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticating: Name:stevec2 Password:****
      2003-04-14 16:27:03,665 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] authenticated: stevec2

      --this application requires a different role. This role has never been added to any role set, but the system thinks it has. Why? This is the problem.
      2003-04-14 16:27:03,665 DEBUG [org.jboss.jetty.security.JBossUserRealm#my-realm] JBossUserPrincipal: stevec2 is in Role: axpa.gen.user