2 Replies Latest reply on Aug 20, 2003 2:55 PM by Andreas Buschka

    Cactus Testcases & JAAS Security

    Andreas Buschka Newbie

      I have developed some EJBs that are slightly secured (at the moment, they accept any authenticated user). I also have some Apache Cactus testcases, which get copied as servlets into the web application.

      My jboss/client/auth.conf looks like this:
      some-config {
      org.jboss.security.auth.spi.IdentityLoginModule required
      principal=cactus
      roles=Adressat,EreignisquellenAdministrator,SystemAdministrator;

      org.jboss.security.ClientLoginModule required
      password-stacking="useFirstPass"
      ;
      };

      InformMeDomain {
      org.jboss.security.ClientLoginModule required;
      };

      other {
      // Example client auth.conf for using the SRPLoginModule
      // org.jboss.srp.jaas.SRPLoginModule required
      // password-stacking="useFirstPass"
      // principalClassName="org.jboss.security.SimplePrincipal"
      // srpServerJndiName="SRPServerInterface"
      // debug=true
      // ;
      // org.jboss.security.auth.spi.UsersRolesLoginModule required;

      // jBoss LoginModule
      org.jboss.security.ClientLoginModule required;
      // password-stacking="useFirstPass";
      // Put your login modules that need jBoss here
      };

      The EJBs are secured in ejb-jar.xml like this:
      ...
      <method-permission>



      <ejb-name>LokalerAdressat</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      ...

      The security domain is set in jboss.xml:

      <security-domain>java:/jaas/InformMeDomain</security-domain>
      <enterprise-beans>
      ...

      <ejb-name>LokalerAdressat</ejb-name>
      <jndi-name>LokalerAdressatRemote</jndi-name>
      <local-jndi-name>LokalerAdressat</local-jndi-name>
      <ejb-local-ref>
      <ejb-ref-name>ejb/SequenzLocalHome</ejb-ref-name>
      <local-jndi-name>SequenzLocal</local-jndi-name>
      </ejb-local-ref>

      ...

      My jboss/server/default/conf/login-conf.xml looks like this:
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      ...
      <application-policy name="client-login">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
      <login-module code="org.jboss.security.ClientLoginModule" flag="required">
      </login-module>

      </application-policy>
      ...
      <application-policy name="InformMeDomain">
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
      </application-policy>
      ...


      In the same directory, I have set up users.properties and roles.properties.

      In the testcase, I try to set up the connection like this:

      public void setUp() throws Exception {


      super.setUp();

      // Anmeldung an JAAS
      CallbackHandler handler = new MyHandler();
      lc = new LoginContext("other", handler);
      Subject subject;
      try
      {
      // EXCEPTION GETS THROWN HERE:
      lc.login();
      subject = lc.getSubject();
      log("authentication succeeded");
      Iterator it = lc.getSubject().getPrincipals().iterator();
      while(it.hasNext()) {
      Object o = it.next();
      System.out.println("principle: "+o.getClass().getName()+ " "+o);
      }

      }
      catch(LoginException e)
      {
      log("authentication failed");
      e.printStackTrace();
      }
      // DEBUG
      InitialContext context = new InitialContext();
      // Wer sind wir?

      Object ref = context.lookup("LokalerAdressatRemote");
      //In Home-Interface umwandeln
      lokalerAdressatRemoteHome = (LokalerAdressatRemoteHome) PortableRemoteObject.narrow(ref, LokalerAdressatRemoteHome.class);
      LokalerAdressatRemote lokalerAdressatRemote;
      lokalerAdressatRemote = lokalerAdressatRemoteHome.create("vorname", "nachname", "passwort");

      In the lc.login() line, the following exception occurs:

      00:03:01,317 INFO [STDOUT] -- authentication failed
      00:03:01,317 ERROR [STDERR] javax.security.auth.login.LoginException: Anmeldefehler: Alle Module werden ignoriert
      00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:779)
      00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
      00:03:01,317 ERROR [STDERR] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
      00:03:01,317 ERROR [STDERR] at java.security.AccessController.doPrivileged(Native Method)
      00:03:01,327 ERROR [STDERR] at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
      00:03:01,337 ERROR [STDERR] at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
      00:03:01,337 ERROR [STDERR] at de.fernunihagen.informme.tests.cactus.TestLokalerAdressatTestClientCactus1.setUp(TestLokalerAdressatTestClientCactus1.java:92)

      "Anmeldefehler: Alle Module werden ignoriert" seems to be a localized error message from the JDK and means "Login error: All modules were ignored".

      What am I doing wrong?

      Greetings,
      Andreas Buschka

        • 1. Re: Cactus Testcases & JAAS Security
          Andreas Buschka Newbie

          I found out that if I make an application policy for "other" in the login.conf.xml, authentication works, but I get an authentication error (bad password for username=null) on the first EJB call. So there might be something wrong with the realm I guess?

          • 2. Re: Cactus Testcases & JAAS Security
            Andreas Buschka Newbie

            I have solved the problem. auth.conf is completely without use when it comes to authentication servlet -> ejb container. Instead, you have to use the entries in login-conf.xml in the server conf directory for both (!) servlet (client) and ejb container (server). so, after all, the important sections from my login-conf.xml are:

            <!-- This is used in the client like this: new LoginConfig("client-login", MyHandler). The client does not need to know anything about the server policy! -->
            <application-policy name="client-login">

            <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>

            </application-policy>

            <!-- The server policy goes like this (simple test for my application domain, referred in jboss.xml! -->
            <application-policy name="InformMeDomain">

            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />
            </login-module>