2 Replies Latest reply on Nov 13, 2003 6:14 AM by alextalib

    AuthenticationManager, SecurityAssociation and JBossWeb

    Gary Udstrand Newbie

      I have a servlet that I am using to authenticate a user. The servlet manages to authenticate the user just fine, however whenever I attempt to retrieve the prinicpal in a jsp it is null.

      I was previously using the DatabaseServerLoginModule and everything was working just fine. I am aware of the limitation of Jboss/JbossWeb and the resultant null principal in unsecure pages. The pages I am having problems with is secure.

      The servlet code is below, can someone tell me why I am not able to find a valid principal in the session?

      public class SecurityAction extends ActionBase {
      public ActionForward performAction(ActionMapping mapping, ActionForm form,
      HttpServletRequest request, HttpServletResponse response)
      throws Exception {

      String username = request.getParameter("j_username");
      String userpassword = request.getParameter("j_password");
      Log.debug(this, "username : " + username);
      Log.debug(this, "userpassword : " + userpassword);
      if ( authenticate(username, userpassword) ) {
      return (mapping.findForward("success"));
      } else {
      return (mapping.findForward("error"));
      }

      }

      public boolean authenticate(String pUsername, String pUserPassword) {
      try {
      InitialContext iniCtx = new InitialContext();
      AuthenticationManager securityMgr = (AuthenticationManager)
      iniCtx.lookup("java:comp/env/security/securityMgr");
      SimplePrincipal principal = new SimplePrincipal(pUsername);
      if ( securityMgr.isValid(principal, pUserPassword) ) {
      // Indicate the user is allowed access to the web content...
      // Propagate the user info to JBoss for any calls into made by the servlet
      SecurityAssociation.setPrincipal(principal);
      SecurityAssociation.setCredential(pUserPassword.toCharArray());
      RealmMapping securityRealmMgr = (RealmMapping)
      iniCtx.lookup("java:comp/env/security/realmMapping");
      Log.debug(this, "Roles : " + securityRealmMgr.getUserRoles(principal));
      } else {
      // Deny access...
      return false;
      }
      } catch (NamingException ne) {
      ne.printStackTrace();
      return false;
      }
      return true;
      }
      }

        • 1. Re: AuthenticationManager, SecurityAssociation and JBossWeb
          Sean Radford Novice

          I'm having the same problem. Anyone have the answer?

          To me it seems that I'm losing the Principal as it is not being propagated during a change in Thread.

          - And I can't test this theory as the SecurityAssocation class has no unsetServer() property.

          • 2. Re: AuthenticationManager, SecurityAssociation and JBossWeb
            alextalib Newbie


            I am am getting a similar problem, I can login using FORM based login which works fine, the principle is propagated to the ejb layer. On subsequent calls however I end up with a null principle which means I can't properly call ejb's from the web container.

            I am using;
            - jboss-3.2.2 with jbossweb-tomcat41.sar
            - using security securityfilter-1.1 with com.aegeus.securityfilter.JBossRealmAdapter
            - DatabaseServerLoginModule to mysql database

            If I swap out the jbossweb-tomcat41.sar and use jbossweb-jetty.sar the authentication mostly works but the problem still appears every now and then. The pages I am trying to access are secured using security filters mechanism.

            *************************** Log Snippet from initial login ******************************
            2003-11-13 01:20:25,729 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/tiles/default/footer.jsp'.
            2003-11-13 01:20:25,739 DEBUG [org.apache.struts.tiles.TilesRequestProcessor] 'page.index' - processed as definition
            2003-11-13 01:20:32,579 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:name=rolesQuery, value=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            name=principalsQuery, value=select password from entity where Name=?
            name=password-stacking, value=useFirstPass
            name=dsJndiName, value=java:/MySqlDS

            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/MySqlDS
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=select password from entity where Name=?
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            2003-11-13 01:20:32,589 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
            2003-11-13 01:20:33,099 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'alex' authenticated, loginOk=true
            2003-11-13 01:20:33,099 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
            2003-11-13 01:20:33,099 TRACE [org.jboss.security.plugins.JaasSecurityManager.JDBCRealm] updateCache, subject=Subject:
            Principal: alex
            Principal: Roles(members:student)

            2003-11-13 01:20:33,099 TRACE [com.aegeus.securityfilter.JBossRealmAdapter] authenticate( alex, ****): alex
            2003-11-13 01:20:33,149 DEBUG [org.apache.struts.util.ModuleUtils] Get module name for path /index.html
            2003-11-13 01:20:33,149 DEBUG [org.apache.struts.util.ModuleUtils] Module name found: default
            2003-11-13 01:20:33,149 DEBUG [org.apache.struts.action.RequestProcessor] Processing a 'GET' for path '/index'
            .
            .
            .
            .
            *********** log snippet from a subsequent call where the web container makes a call to the ejb layer ******************
            2003-11-12 18:41:37,022 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/tiles/default/loginform.jsp'.
            2003-11-12 18:41:37,032 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/tiles/default/work.jsp'.
            2003-11-12 18:41:37,042 TRACE [au.com.lavaconsulting.core.ServiceLocator] getRemoteService(10 [education/RemoteStudentFacadeEJB]):
            2003-11-12 18:41:37,042 TRACE [au.com.lavaconsulting.core.ServiceLocator] getRemoteHome(10 [education/RemoteStudentFacadeEJB]):
            2003-11-12 18:41:37,042 TRACE [au.com.lavaconsulting.education.impl.PersonFacadeEJBBean] setSessionContext() org.jboss.ejb.StatefulSessionEnterpriseContext$StatefulSessionContextIm
            pl@efc0ee
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:name=rolesQuery, value=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            name=principalsQuery, value=select password from entity where Name=?
            name=password-stacking, value=useFirstPass
            name=dsJndiName, value=java:/MySqlDS

            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/MySqlDS
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=select password from entity where Name=?
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=select r.Name, 'Roles'
            from entity l, entity_role lr, role r
            where l.entityId = lr.entityId
            and lr.roleName = r.name
            and l.Name=?
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
            2003-11-12 18:41:37,042 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Authenticating as unauthenticatedIdentity=null
            2003-11-12 18:41:37,052 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort
            2003-11-12 18:41:37,052 DEBUG [org.jboss.security.plugins.JaasSecurityManager.JDBCRealm] Login failure
            javax.security.auth.login.FailedLoginException: No matching username found in Principals
            at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:102)
            at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:150)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:324)
            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)