4 Replies Latest reply on May 5, 2003 11:39 AM by brucec

    DatabaseServerLoginModule not Authenticating

    brucec Newbie

      I have a UserSessionManagerEJB that I'm trying to secure using the DatabaseServerLoginModule (actually a subclass that does nothing except call super for initialize, getUsersPassword and get RoleSets). Can anyone point out where I'm messing up?

      I'm attaching my server.policy and login-config.xml files:
      Well for some reason the Attach Files feature isn't working so I'll add file contents at the bottom.

      The exception message is:

      ERROR javax.ejb.EJBException: java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
      java.rmi.ServerException: EJBException:; nested exception is:
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
      Authentication exception, principal=Bruce

      The client side login code snippet is:

      UsernamePasswordHandler handler = new
      UsernamePasswordHandler( username, password );
      _context = new LoginContext( "client-login", handler );
      _context.login();
      Subject subject = _context.getSubject();
      UserSessionManager ejb = null;
      UserSessionManagerHome home = null;
      try {
      home = (UserSessionManagerHome)PortableRemoteObject.narrow(
      new InitialContext().lookup( lookupName ),
      UserSessionManagerHome.class );
      try {
      ejb = home.create();
      . . .

      I'm just trying to use the default Hypersonic DB for right now and have added the following to the db/hypersonic/default.script file to create a sample login database:

      CREATE TABLE USERS(USERNAME VARCHAR NOT NULL PRIMARY KEY,PASSWORD VARCHAR)
      CREATE TABLE USERROLES(USERNAME VARCHAR,USERROLE VARCHAR,ROLEGROUP VARCHAR)
      INSERT INTO USERS VALUES('Bruce','Bpass')
      INSERT INTO USERS VALUES('bc','bc2pass')
      INSERT INTO USERROLES VALUES('bc','Operator','Role')
      INSERT INTO USERROLES VALUES('Bruce','JBossAdmin','Role')

      My configuration is JBoss 3.0.4/Tomcat 4.1.12 on Redhat Linux 7.3

      security.policy file:
      =================================
      grant {
      permission java.util.PropertyPermission "*", "read,write";
      permission java.lang.RuntimePermission "*", "getProtectionDomain";
      permission java.io.FilePermission "/home/bcrawford/tools/-", "read,write,execute";
      permission java.io.FilePermission "/home/bcrawford/tools/jboss-3.0.4_tomcat-4.1.12/server/default/-", "delete";
      permission javax.security.auth.AuthPermission "*", "createLoginContext.jbossmq";
      permission java.net.SocketPermission "*", "accept,connect,resolve";
      permission org.apache.naming.JndiPermission "*";
      permission java.util.logging.LoggingPermission "control";
      };
      grant Principal org.jboss.security.SimplePrincipal "Admin" {
      // Allow everything for now
      permission java.security.AllPermission;
      };
      grant Principal org.jboss.security.SimplePrincipal "Operator" {
      permission com.transdyn.dynac.security.AccessPermission;
      };

      login-conf.xml file:
      =================================
      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      <application-policy name = "client-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      <!-- Security domain for JBossMQ -->
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
      </login-module>

      </application-policy>

      <!-- Security domains for testing new jca framework -->
      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "FirebirdDBRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sysdba</module-option>
      <module-option name = "userName">sysdba</module-option>
      <module-option name = "password">masterkey</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "JmsXARealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
      </login-module>

      </application-policy>

      <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name = "jmx-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      <!-- Security domain for Dynac -->
      <application-policy name = "dynac">

      <login-module code="com.transdyn.dynac.security.DynacPasswordLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">anonymousUser</module-option>
      <module-option name = "principalsQuery">select Password from Users where Username=?</module-option>
      <module-option name = "rolesQuery">select UserRole, 'Role' from UserRoles where Username=?</module-option>
      </login-module>

      </application-policy>

      <!-- The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      -->
      <application-policy name = "other">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>


      jboss.xml file:
      =================================
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS//EN" "http://www.jboss.org/j2ee/dtd/jboss.dtd">

      <security-domain>java:/jaas/dynac</security-domain>
      <enterprise-beans>

      <ejb-name>UserSessionManager</ejb-name>
      <jndi-name>ejb/UserSessionManager</jndi-name>

      </enterprise-beans>
      <resource-managers>
      </resource-managers>


      ejb-jar.xml file:
      =================================
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
      <ejb-jar >
      No Description.
      <display-name>Generated by XDoclet</display-name>
      <enterprise-beans>
      <!-- Session Beans -->

      <![CDATA[Allows a user to login to and maintain a session with the Dynac application.]]>
      <display-name>UserSessionManager Bean</display-name>
      <ejb-name>UserSessionManager</ejb-name>
      com.transdyn.dynac.session.UserSessionManagerHome
      com.transdyn.dynac.session.UserSessionManager
      <ejb-class>com.transdyn.dynac.session.UserSessionManagerEJB</ejb-class>
      <session-type>Stateful</session-type>
      <transaction-type>Container</transaction-type>
      <security-role-ref>
      <role-name>JBossAdmin</role-name>
      <role-link>Admin</role-link>
      </security-role-ref>
      <security-identity>
      Testing a EJB security id
      <use-caller-identity >What</use-caller-identity>
      </security-identity>



      <!-- Entity Beans -->
      </enterprise-beans>
      <!-- Assembly Descriptor -->
      <assembly-descriptor >
      <security-role>
      description not supported yet by ejbdoclet
      <role-name>JBossAdmin</role-name>
      </security-role>
      <security-role>
      description not supported yet by ejbdoclet
      <role-name>Admin</role-name>
      </security-role>
      <security-role>
      description not supported yet by ejbdoclet
      <role-name>test</role-name>
      </security-role>

      <method-permission >
      description not supported yet by ejbdoclet
      <role-name>JBossAdmin</role-name>

      description not supported yet by ejbdoclet
      <ejb-name>UserSessionManager</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      <method-permission >
      description not supported yet by ejbdoclet
      <role-name>Admin</role-name>
      <role-name>test</role-name>

      <![CDATA[Called by the container to create a session bean instance.]]>
      <ejb-name>UserSessionManager</ejb-name>
      <method-intf>Home</method-intf>
      <method-name>create</method-name>
      <method-params>
      </method-params>

      </method-permission>
      </assembly-descriptor>
      </ejb-jar>

        • 1. Re: DatabaseServerLoginModule not Authenticating
          Peter Doornbosch Apprentice

          should be
          INSERT INTO USERROLES VALUES('bc','Operator','Roles')
          INSERT INTO USERROLES VALUES('Bruce','JBossAdmin','Roles')

          (ie. 'Roles' instead of 'Role')
          hth
          peter.

          • 2. Re: DatabaseServerLoginModule not Authenticating
            brucec Newbie

            Peter,
            Thanks for the response, but that change didn't fix the problem. And I did change 'Role' to 'Roles' in the login-conf.xml file also.

            Maybe I've over worked the whole security issue and am boxing myself into a corner with cascading problems (see BTW note below). I am starting JBoss with a custom runSecure.sh file that adds the following options to the java command:
            -Djava.security.manager
            -Djava.security.policy=/server.policy
            -Djava.security.debug=access,failure
            And in doing this I've created a custom server.policy file to try to enable the necessary permissions for JBoss and Tomcat ... as you can see below this is obviously NOT correct.

            Am I trying to make this too complicated?

            BTW another problem keeps me from examining the hypersonic DB during these tests and that is not having the JMX Console available. This is probably being caused by the server.policy file (shown in 1st post) since I get an exception during deployment of package: file:/jmx-console.war, i.e.,
            ERROR [org.jboss.web.localhost.Engine] StandardHost[localhost]: ContainerBase.addChild: start:
            LifecycleException: start: : java.lang.NullPointerException
            at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:678)
            at org.apache.catalina.core.StandardContext.start(StandardContext.java:3456)
            at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:821)
            at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:162)
            at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:182)
            at java.security.AccessController.doPrivileged(Native Method)
            at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:805)
            at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:579)
            at org.jboss.web.catalina.EmbeddedCatalinaService41.createWebContext(EmbeddedCatalinaService41.java:432)
            at org.jboss.web.catalina.EmbeddedCatalinaService41.performDeploy(EmbeddedCatalinaService41.java:306)
            . . .

            I also posted this problem, but haven't had any replies yet.

            • 3. Re: DatabaseServerLoginModule not Authenticating
              Peter Doornbosch Apprentice

              > Maybe I've over worked the whole security issue and
              > am boxing myself into a corner with cascading
              > problems (see BTW note below). I am starting JBoss
              > with a custom runSecure.sh file that adds the
              > following options to the java command:
              > -Djava.security.manager
              > -Djava.security.policy=/server.policy
              > -Djava.security.debug=access,failure

              Did you try it without? Did it work out then?

              • 4. Re: DatabaseServerLoginModule not Authenticating
                brucec Newbie

                Peter, Thanks for your replies ...

                I was able to get org.jboss.security.auth.spi.DatabaseServerLoginModule to authenticate when I start JBoss with the default run.sh file using the Hypersonic tables created via default.script file. However, I can't authenticate when using my com.transdyn.dynac.security.DynacPasswordLoginModule which extends the JBoss class and calls super for every method (thus does nothing). I've tried putting this class into /deploy and in /lib, but neither seems to work.

                I also tried specifying -Djava.security.debug=... on the run.sh command line, but the option is not being used by the JBoss main, or at least I can see no difference in behavior from JBoss.

                Bottom line is that I can get default JBoss security to work, but have not been able to override this with what our system is going to need. Obviously I have to resolve this before we can move to a production system, but I seem to be making little progress towards this end.

                I think the real question is how to properly extend the DatabaseServerLoginModule with my class and get it to authenticate and authorize as desired?

                And to get there I need to figure out how to debug what is going on during the auth/auth activity.