We purchased the JBOSS documentation recently and I am still having some
authentication trouble. I think I am missing something simple. I have the spi.UsersRolesLoginModule working, but can not get the DatabaseServerLoginModule to work.
Specifically, the login seems to do something when I access the intro
jsp page, but I can not login and I am not sure if it connects or what. I thought I turned on the log4j debugging by changing log4j:configuration debug value to true. But I do not get any additional info. Do I have to add a new appender or something? Here is all the info I get on the login attempt :
12:20:35,374 INFO [MainDeployer] Deployed package:
12:22:33,012 INFO [JaasSecurityManagerService] Created
12:22:33,069 INFO [JaasSecurityManagerService] setCachePolicy,
12:22:33,114 INFO [JaasSecurityManagerService] Added MQOSA_DB,
org.jboss.security.plugins.SecurityDomainContext@b91602 to map
I am able to change database contents elsewhere using some CMP beans, so
I don't think the connection is a problem. However, I always go to the
failed login page. Is there a way to debug this, or can you think what
I am doing wrong?
I have configured the jboss.xml as follows :
<realm-name>JBoss JMX Console</realm-name>
and the jboss-web.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
and the server/deploy/conf/login_config.xml as follows:
<application-policy name = "MQOSA_DB">
flag = "required" >
<module-option name = "dsJndiName">WalterDS</module-option>
<module-option name = "principalsQuery">select password from
mqosa_user where login=?</module-option>
<module-option name = "rolesQuery">select role, 'Roles' from
role_user where login=?</module-option>
I have spent a few days on this and would appreciate any help. The
users.properties/roles.properties login works, but we need it to be
Thanks for any help,
the dsJndiName option must have the 'java:/' prefix. Could you try again with
<module-option name = "dsJndiName">java:/WalterDS</module-option>
Thanks, but it still does not work and I see no new error messages.
How exactly do you set up the error logging?
I thought I turned on the log4j debugging by changing log4j:configuration debug value value at the top to true. But I do not get any additional info. Do I have to add a new appender or something?
and remove the threshold param from the (file) appender
Change the Threshold for the console to TRACE, restrict everything under "org" to INFO and enable TRACE for org.jboss.web and org.jboss.security.
<param name="Threshold" value="TRACE"/>
thank you both, the errors are coming in now!
I am getting a wrong password error and I know (from the Oracle database) that it is correct. I tried the trim function to no avail.
1. Is there a way to print out the password in the select statement, so that it shows up in the debug messages?
2. Is it an encryption problem? I did not specify an encryption in my setup and I am trying to do simple testing with straight text for now!
1. Passwords are not logged for security reasons. To see what password is read from the database you could either get the sources and use a debugger or subclass the DatabaseServerLoginModule and overwrite
protected boolean validatePassword(String inputPassword, String expectedPassword)
and configure this class in login-config.xml
2. Unless you have a "hashAlgorith" module-option set in your configuration, the DB login module assumes clear text passwords in the database, so it should not be an encryption issue.
somehow today after I restarted jboss, it seems to accept the password?
now I am stuck with the following error during authentication :
12:48:38,140 INFO [Engine] Authenticator[/mqosa]: Security checking request POST /mqosa/jsp/j_security_check
12:48:38,140 INFO [Engine] Authenticator[/mqosa]: Checking for reauthenticate in session StandardSession[08B1D793134D433FFC8F190EBF857C04]
12:48:38,142 INFO [Engine] Authenticator[/mqosa]: Authenticating username 'alex'
12:48:38,279 ERROR [DatabaseServerLoginModule] SQL failure
java.sql.SQLException: ORA-01006: bind variable does not exist
Anyone have any ideas?
not exatly sure, but it looks like it was related to the roles query after the password was authenticated. I changed it and it looks a little better.
Now I get :
13:07:14,382 DEBUG [MQOSA_DB3] Login failure
javax.security.auth.login.LoginException: No LoginModules configured for MQOSA_DB3
Which does not make sense to me because I thought that this whole time I have been trying to get the DatabaseServerLoginModule to work?
looks like an xml typo in the login-config.xml
> 12:48:38,279 ERROR [DatabaseServerLoginModule] SQL failure java.sql.SQLException: ORA-01006: bind variable does not exist
Are you still using the same queries as in your first message?
Could you post the output of "desc mqosa_user" and "desc role_user" in SQL*Plus?
side note: extending the validatePassword() method worked great (even though restarting jboss was probably the answer).. Thanks.
I am still getting the bind exception above.
I think it is related to the roles query
"select name, 'Roles' from role where name=JBossAdmin"
When I try this query in SqlPlus, I get :
The formatting looks a little funny, but I have read that I have to have the Roles in there?
I think that this might be the problem?
I will try adding a separate field to the table which always has Roles in it. Other than that, I am stuck?
> "select name, 'Roles' from role where name=JBossAdmin"
Is this the configured query? In that case you would always get the name as role?
> I will try adding a separate field to the table which
> always has Roles in it. Other than that, I am
Instead of adding a column to the table you might also create a view to get the needed 'Roles' value:
create view roleview as select login, role, 'Roles' as rolegroup from role;
and then use
select role, rolegroup from roleview where login = ?
as your rolesQuery.
Thank you for your response!
Here is whay I think I have learned from the experience :
1. It looks like you have to have the "where username=?" condition. I was trying to simplify and just get it running quickly with no roles setup.
2. Also, the [ ,'Roles' ] adds a column to the result but the title seems to get altered. The title becomes [ 'Roles ] , with a quote on the start. Changing it to [ , 'Roles' as RoleGroup ] explicitly gives it a valid title.