14 Replies Latest reply on Jul 8, 2003 2:58 PM by worthe

    DatabaseLogin help

    worthe Newbie

      We purchased the JBOSS documentation recently and I am still having some
      authentication trouble. I think I am missing something simple. I have the spi.UsersRolesLoginModule working, but can not get the DatabaseServerLoginModule to work.

      Specifically, the login seems to do something when I access the intro
      jsp page, but I can not login and I am not sure if it connects or what. I thought I turned on the log4j debugging by changing log4j:configuration debug value to true. But I do not get any additional info. Do I have to add a new appender or something? Here is all the info I get on the login attempt :

      12:20:35,374 INFO [MainDeployer] Deployed package:
      file:/opt/jboss-3.2.1_tomcat-4.1.24/server/default/deploy/mqosa.ear
      12:22:33,012 INFO [JaasSecurityManagerService] Created
      securityMgr=org.jboss.security.plugins.JaasSecurityManager@198a654
      12:22:33,069 INFO [JaasSecurityManagerService] setCachePolicy,
      c=org.jboss.util.TimedCachePolicy@1140db
      12:22:33,114 INFO [JaasSecurityManagerService] Added MQOSA_DB,
      org.jboss.security.plugins.SecurityDomainContext@b91602 to map

      I am able to change database contents elsewhere using some CMP beans, so
      I don't think the connection is a problem. However, I always go to the
      failed login page. Is there a way to debug this, or can you think what
      I am doing wrong?

      I have configured the jboss.xml as follows :
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
      <form-login-config>
      <form-login-page>/jsp/login.jsp</form-login-page>
      <form-error-page>/jsp/authenticationError.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <role-name>JBossAdmin</role-name>
      </security-role>

      and the jboss-web.xml as follows:
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
      <security-domain>java:/jaas/MQOSA_DB</security-domain>
      </jboss-web>

      and the server/deploy/conf/login_config.xml as follows:
      <application-policy name = "MQOSA_DB">

      <login-module
      code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required" >
      <module-option name = "dsJndiName">WalterDS</module-option>
      <module-option name = "principalsQuery">select password from
      mqosa_user where login=?</module-option>
      <module-option name = "rolesQuery">select role, 'Roles' from
      role_user where login=?</module-option>
      </login-module>

      </application-policy>

      I have spent a few days on this and would appreciate any help. The
      users.properties/roles.properties login works, but we need it to be
      dynamic.



      Thanks for any help,

      Peter Worthing

        • 1. Re: DatabaseLogin help
          Harald Gliebe Novice

          Hi Peter,

          the dsJndiName option must have the 'java:/' prefix. Could you try again with

          <module-option name = "dsJndiName">java:/WalterDS</module-option>

          Regards,
          Harald

          • 2. Re: DatabaseLogin help
            worthe Newbie

            Thanks, but it still does not work and I see no new error messages.
            How exactly do you set up the error logging?

            I thought I turned on the log4j debugging by changing log4j:configuration debug value value at the top to true. But I do not get any additional info. Do I have to add a new appender or something?

            Peter

            • 3. Re: DatabaseLogin help
              Peter Doornbosch Apprentice





              and remove the threshold param from the (file) appender

              Hth
              Peter

              • 4. Re: DatabaseLogin help
                Harald Gliebe Novice

                Change the Threshold for the console to TRACE, restrict everything under "org" to INFO and enable TRACE for org.jboss.web and org.jboss.security.



                <param name="Threshold" value="TRACE"/>
                ...















                Regards
                Harald

                • 5. Re: DatabaseLogin help
                  worthe Newbie

                  thank you both, the errors are coming in now!

                  • 6. Re: DatabaseLogin help
                    worthe Newbie

                    I am getting a wrong password error and I know (from the Oracle database) that it is correct. I tried the trim function to no avail.

                    1. Is there a way to print out the password in the select statement, so that it shows up in the debug messages?
                    or
                    2. Is it an encryption problem? I did not specify an encryption in my setup and I am trying to do simple testing with straight text for now!

                    Peter

                    • 7. Re: DatabaseLogin help
                      Harald Gliebe Novice

                      Hi Peter,

                      1. Passwords are not logged for security reasons. To see what password is read from the database you could either get the sources and use a debugger or subclass the DatabaseServerLoginModule and overwrite
                      protected boolean validatePassword(String inputPassword, String expectedPassword)
                      and configure this class in login-config.xml

                      2. Unless you have a "hashAlgorith" module-option set in your configuration, the DB login module assumes clear text passwords in the database, so it should not be an encryption issue.

                      Harald

                      • 8. Re: DatabaseLogin help - bind variable does not exist
                        worthe Newbie


                        somehow today after I restarted jboss, it seems to accept the password?
                        now I am stuck with the following error during authentication :

                        12:48:38,140 INFO [Engine] Authenticator[/mqosa]: Security checking request POST /mqosa/jsp/j_security_check
                        12:48:38,140 INFO [Engine] Authenticator[/mqosa]: Checking for reauthenticate in session StandardSession[08B1D793134D433FFC8F190EBF857C04]
                        12:48:38,142 INFO [Engine] Authenticator[/mqosa]: Authenticating username 'alex'
                        12:48:38,279 ERROR [DatabaseServerLoginModule] SQL failure
                        java.sql.SQLException: ORA-01006: bind variable does not exist

                        at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
                        at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:289)
                        at oracle.jdbc.ttc7.Oall7.receive(Oall7.java:573)
                        at oracle.jdbc.ttc7.TTC7Protocol.doOall7(TTC7Protocol.java:1891)

                        Anyone have any ideas?


                        Pete

                        • 9. Re: DatabaseLogin help
                          worthe Newbie

                          not exatly sure, but it looks like it was related to the roles query after the password was authenticated. I changed it and it looks a little better.
                          Now I get :

                          13:07:14,382 DEBUG [MQOSA_DB3] Login failure
                          javax.security.auth.login.LoginException: No LoginModules configured for MQOSA_DB3
                          at javax.security.auth.login.LoginContext.init(LoginContext.java:189)


                          Which does not make sense to me because I thought that this whole time I have been trying to get the DatabaseServerLoginModule to work?

                          Peter

                          • 10. Re: DatabaseLogin help
                            worthe Newbie

                            looks like an xml typo in the login-config.xml

                            • 11. Re: DatabaseLogin help - bind variable does not exist
                              Harald Gliebe Novice

                              > 12:48:38,279 ERROR [DatabaseServerLoginModule] SQL failure java.sql.SQLException: ORA-01006: bind variable does not exist

                              Are you still using the same queries as in your first message?
                              Could you post the output of "desc mqosa_user" and "desc role_user" in SQL*Plus?

                              Harald

                              • 12. Re: DatabaseLogin help
                                worthe Newbie

                                side note: extending the validatePassword() method worked great (even though restarting jboss was probably the answer).. Thanks.

                                I am still getting the bind exception above.
                                I think it is related to the roles query
                                "select name, 'Roles' from role where name=JBossAdmin"

                                When I try this query in SqlPlus, I get :
                                NAME
                                --------------------------------------------------------------------------------'ROLE
                                -----
                                JBossAdmin
                                Roles

                                The formatting looks a little funny, but I have read that I have to have the Roles in there?
                                I think that this might be the problem?
                                I will try adding a separate field to the table which always has Roles in it. Other than that, I am stuck?

                                • 13. Re: DatabaseLogin help
                                  Harald Gliebe Novice

                                  > "select name, 'Roles' from role where name=JBossAdmin"
                                  >

                                  Is this the configured query? In that case you would always get the name as role?

                                  > I will try adding a separate field to the table which
                                  > always has Roles in it. Other than that, I am
                                  > stuck?
                                  >

                                  Instead of adding a column to the table you might also create a view to get the needed 'Roles' value:

                                  create view roleview as select login, role, 'Roles' as rolegroup from role;

                                  and then use

                                  select role, rolegroup from roleview where login = ?

                                  as your rolesQuery.

                                  Regards,
                                  Harald

                                  • 14. Re: DatabaseLogin help
                                    worthe Newbie

                                    Thank you for your response!
                                    Here is whay I think I have learned from the experience :

                                    1. It looks like you have to have the "where username=?" condition. I was trying to simplify and just get it running quickly with no roles setup.

                                    2. Also, the [ ,'Roles' ] adds a column to the result but the title seems to get altered. The title becomes [ 'Roles ] , with a quote on the start. Changing it to [ , 'Roles' as RoleGroup ] explicitly gives it a valid title.