7 Replies Latest reply on Jun 29, 2003 4:26 PM by Joshua Davis

    'UsersRolesLoginModule' not validating passwords

    Joshua Davis Expert

      Hello,

      I am trying to use the 'UserRolesLoginModule' in a web/EJB application and I am getting some unexpected behavior. The web application seems to know when an unauthenticated user is accessing a page, and it forwards to the login form appropriately. However, it does *not* appear to be verifying the username and password against the users.properties file. There must be something missing in the configuration.

      login.xml has 'ExampleRealm' defined as:


      <!--
      The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      -->
      <application-policy name = "ExampleRealm">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,
      unauthenticatedIdentity="nobody"
      -->

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      web.xml references this realm like so:

      <!-- ==================================================================== -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Secure Pages</web-resource-name>
      <url-pattern>/webui/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>AuthorizedUser</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <!-- ExampleRealm is defined in login-config.xml -->
      <realm-name>ExampleRealm</realm-name>
      <form-login-config>
      <!--
      NOTE: It is important that no pages direclty invoke this JSP, as it will invoke 'j_security_check'
      which expects the invoking URL to be the URL to go to on successful login. On Jetty/JBoss, linking
      directly to this login form page will result in the user being redirected to the root web context.
      -->
      <form-login-page>/login/login.jsp</form-login-page>
      <form-error-page>/login/authenticationError.jsp</form-error-page>
      </form-login-config>
      </login-config>

      The users.properties and roles.properties files are deployed into the application JAR file, which is in the main EAR file.

      Any ideas?

        • 1. Re: 'UsersRolesLoginModule' not validating passwords
          Harald Gliebe Novice

          You have to associate your JAAS-Configuration with your web application in the WEB-INF/jboss-web.xml as follows:

          <?xml version="1.0"?>
          <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
          <jboss-web>
          <security-domain>java:/jaas/ExampleRealm</security-domain>
          </jboss-web>

          The realm name element in the standard web.xml file is used only for HTTP basic authentication (The browser will display this name in the login window)

          Regards,
          Harald

          • 2. Re: 'UsersRolesLoginModule' not validating passwords
            Joshua Davis Expert

            Aha! I don't even have a jboss-web.xml file. I'll try that... Thanks!

            • 3. Re: 'UsersRolesLoginModule' not validating passwords
              Joshua Davis Expert

              That seemed to have changed the behavior (good), but now the server indicates that there are no login modules associated with ExampleRealm. I thought that is what the login-config.xml file is supposed to do?

              Here is the exception:

              2003-06-29 11:33:38,796 DEBUG [org.jboss.security.plugins.JaasSecurityManager.ExampleRealm] Login failure
              javax.security.auth.login.LoginException: No LoginModules configured for ExampleRealm
              at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
              at javax.security.auth.login.LoginContext.(LoginContext.java:350)
              at javax.security.auth.login.LoginContext.(LoginContext.java:465)
              at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:461)
              at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:417)
              at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:244)
              at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)
              at org.jboss.jetty.security.JBossUserRealm$JBossUserPrincipal.isAuthenticated(JBossUserRealm.java:92)
              at org.jboss.jetty.security.JBossUserRealm$JBossUserPrincipal.authenticate(JBossUserRealm.java:154)
              at org.jboss.jetty.security.JBossUserRealm.authenticate(JBossUserRealm.java:323)
              at org.mortbay.jetty.servlet.FormAuthenticator.authenticated(FormAuthenticator.java:114)
              at org.mortbay.jetty.servlet.ServletHttpContext.jSecurityCheck(ServletHttpContext.java:121)
              at org.mortbay.jetty.servlet.ServletHttpContext.checkSecurityConstraints(ServletHttpContext.java:137)
              at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler.java:235)
              at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:558)
              at org.mortbay.http.HttpContext.handle(HttpContext.java:1714)
              at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.java:507)
              at org.mortbay.http.HttpContext.handle(HttpContext.java:1664)
              at org.mortbay.http.HttpServer.service(HttpServer.java:863)
              at org.jboss.jetty.Jetty.service(Jetty.java:460)
              at org.mortbay.http.HttpConnection.service(HttpConnection.java:775)
              at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:939)
              at org.mortbay.http.HttpConnection.handle(HttpConnection.java:792)
              at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:201)
              at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:289)
              at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:455)

              • 4. Re: 'UsersRolesLoginModule' not validating passwords
                Joshua Davis Expert

                Here is a message indicates that the auth.conf file needs to be placed in the classpath, or in a system property. Since none of the examples that I have seen do this, I figured it was for Tomcat->JBoss users, or something.

                http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=

                • 5. Re: 'UsersRolesLoginModule' not validating passwords
                  Harald Gliebe Novice

                  Looks like JAAS can't find your ExampleRealm configuration, and also no 'other' configuration which serves as default.
                  Could you please check in the jmx-console, that the XMLLoginConfig MBean is deployed and invoke "displayAppConfig" with "ExampleRealm" shows the correct configuration.

                  Regards,

                  Harald

                  • 6. Re: 'UsersRolesLoginModule' not validating passwords
                    Joshua Davis Expert

                    Invoking XMLLoginConfig MBean displayAppConfig() method with "ExampleRealm" yeilds "No Entry".

                    While I was there, I noticed that the ConfigURL is pointing at my source code directory for some reason. That does not seem right. Maybe my login-config.xml is not in the right directory?

                    • 7. Re: 'UsersRolesLoginModule' not validating passwords
                      Joshua Davis Expert

                      It works now! The problem was that my deployment ANT script was not copying login-config.xml into the 'conf' directory (oops).

                      Thanks for your help!