2 Replies Latest reply on Aug 20, 2003 2:55 PM by Andreas Buschka

    Cactus Testcases & JAAS Security

    Andreas Buschka Newbie

      I have developed some EJBs that are slightly secured (at the moment, they accept any authenticated user). I also have some Apache Cactus testcases, which get copied as servlets into the web application.

      My jboss/client/auth.conf looks like this:
      some-config {
      org.jboss.security.auth.spi.IdentityLoginModule required

      org.jboss.security.ClientLoginModule required

      InformMeDomain {
      org.jboss.security.ClientLoginModule required;

      other {
      // Example client auth.conf for using the SRPLoginModule
      // org.jboss.srp.jaas.SRPLoginModule required
      // password-stacking="useFirstPass"
      // principalClassName="org.jboss.security.SimplePrincipal"
      // srpServerJndiName="SRPServerInterface"
      // debug=true
      // ;
      // org.jboss.security.auth.spi.UsersRolesLoginModule required;

      // jBoss LoginModule
      org.jboss.security.ClientLoginModule required;
      // password-stacking="useFirstPass";
      // Put your login modules that need jBoss here

      The EJBs are secured in ejb-jar.xml like this:



      The security domain is set in jboss.xml:




      My jboss/server/default/conf/login-conf.xml looks like this:
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      <application-policy name="client-login">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
      <login-module code="org.jboss.security.ClientLoginModule" flag="required">

      <application-policy name="InformMeDomain">
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>

      In the same directory, I have set up users.properties and roles.properties.

      In the testcase, I try to set up the connection like this:

      public void setUp() throws Exception {


      // Anmeldung an JAAS
      CallbackHandler handler = new MyHandler();
      lc = new LoginContext("other", handler);
      Subject subject;
      subject = lc.getSubject();
      log("authentication succeeded");
      Iterator it = lc.getSubject().getPrincipals().iterator();
      while(it.hasNext()) {
      Object o = it.next();
      System.out.println("principle: "+o.getClass().getName()+ " "+o);

      catch(LoginException e)
      log("authentication failed");
      // DEBUG
      InitialContext context = new InitialContext();
      // Wer sind wir?

      Object ref = context.lookup("LokalerAdressatRemote");
      //In Home-Interface umwandeln
      lokalerAdressatRemoteHome = (LokalerAdressatRemoteHome) PortableRemoteObject.narrow(ref, LokalerAdressatRemoteHome.class);
      LokalerAdressatRemote lokalerAdressatRemote;
      lokalerAdressatRemote = lokalerAdressatRemoteHome.create("vorname", "nachname", "passwort");

      In the lc.login() line, the following exception occurs:

      00:03:01,317 INFO [STDOUT] -- authentication failed
      00:03:01,317 ERROR [STDERR] javax.security.auth.login.LoginException: Anmeldefehler: Alle Module werden ignoriert
      00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
      00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
      00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
      00:03:01,317 ERROR [STDERR] at java.security.AccessController.doPrivileged(Native Method)
      00:03:01,327 ERROR [STDERR] at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
      00:03:01,337 ERROR [STDERR] at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
      00:03:01,337 ERROR [STDERR] at de.fernunihagen.informme.tests.cactus.TestLokalerAdressatTestClientCactus1.setUp(TestLokalerAdressatTestClientCactus1.java:92)

      "Anmeldefehler: Alle Module werden ignoriert" seems to be a localized error message from the JDK and means "Login error: All modules were ignored".

      What am I doing wrong?

      Andreas Buschka

        • 1. Re: Cactus Testcases & JAAS Security
          Andreas Buschka Newbie

          I found out that if I make an application policy for "other" in the login.conf.xml, authentication works, but I get an authentication error (bad password for username=null) on the first EJB call. So there might be something wrong with the realm I guess?

          • 2. Re: Cactus Testcases & JAAS Security
            Andreas Buschka Newbie

            I have solved the problem. auth.conf is completely without use when it comes to authentication servlet -> ejb container. Instead, you have to use the entries in login-conf.xml in the server conf directory for both (!) servlet (client) and ejb container (server). so, after all, the important sections from my login-conf.xml are:

            <!-- This is used in the client like this: new LoginConfig("client-login", MyHandler). The client does not need to know anything about the server policy! -->
            <application-policy name="client-login">

            <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>


            <!-- The server policy goes like this (simple test for my application domain, referred in jboss.xml! -->
            <application-policy name="InformMeDomain">

            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />