7 Replies Latest reply on Oct 22, 2003 6:32 PM by James Kuhn

    Incorrect credentials after successful Authentication

    James Kuhn Newbie

      I'm seeing some odd behaviour upon successful logins.
      It seems that no matter how many times I log in and then
      log out, the credentials of the user that has been authenticated
      will always match those of the first user that logged in after
      JBoss had been restarted.

      I have implemented a typical login/JAAS strategy, where I allow
      the user to enter username and password in a login form, authenticate
      them, and then put their username and password onto the session.
      This username and password is then re-logged in prior to the execution
      of all servlets by using a filter.

      Everything is working fine (from a functional perspective). However,
      I've noticed that my debug output is reporting that the credentials of
      the user who is currently logged in are always the same as the credentials
      of the user that first logged into the application. This is illustrated in
      the following code snippet. You'll notice that I'm printing the username
      and password, and then I'm logging in, and then I'm printing the principals:

      . try {
      . session = httpRequest.getSession();
      . username = (String) session.getAttribute(ADMIN_USER);
      . password = (String) session.getAttribute(ADMIN_PWD);
      . synchronized (callbackHandler) {
      . System.out.println("username='"+username+"'");
      . System.out.println("password='"+password+"'");
      . callbackHandler.setUsername(username);
      . callbackHandler.setPassword(password);
      . loginCtx.login();
      . System.out.println("JaasServices: user authenticated.");
      . it = loginCtx.getSubject().getPrincipals().iterator();
      . while (it.hasNext()) { // display user info in server output.
      . o = it.next();
      . System.out.println("principal: " + o.getClass().getName() + " "
      + o);
      . }
      . }
      . chain.doFilter(request, response);
      . } catch (LoginException le) {
      . System.out.println("JaasServices: user not authenticated." + le);
      . } finally {
      . try {
      . loginCtx.logout();
      . System.out.println("JaasServices: logout.");
      . } catch (LoginException le) {
      . System.out.println("JaasServices.logout(): logout failed: " + le);
      . }
      . }

      I have two users in my JAAS tables. One is called "admin", and the
      other is 'jkuhn'. Each of these has entries in the roles table, and have
      permissions that will allow access to all of the beans in the application.
      When I start up the application, and then attempt to login as "admin",
      I get the following output for every servlet that is executed:

      username='admin'
      password='admin'
      JaasServices: user authenticated
      principal: org.jboss.security.NestableGroup Roles(members:Admin)
      principal: org.jboss.security.SimplePrincipal admin


      And I will continue to see this output for the duration of the session.

      Now, when I log out, close the browser, and then try to log in as 'jkuhn',
      I see the odd behaviour. My server output now begins to look like this:

      username='jkuhn'
      password='jkuhn'
      JaasServices: user authenticated
      principal: org.jboss.security.NestableGroup Roles(members:Admin)
      principal: org.jboss.security.SimplePrincipal admin


      Notice that the output is reporting that the user has been authenticated,
      yet the principals being reported immediately after authentication
      do not match those of the username and password that were logged in.

      Has anyone got any ideas on why this could be happening?

        • 1. Re: Incorrect credentials after successful Authentication
          Wouter Beheydt Newbie

          James,

          I have a similar problem (still using JBoss 3.0.x).

          Two different users working at different locations. Second user gets "Insufficient method permissions" exception although he' s supposed to have the correct permissions. Log and error msg for second user says principal = id of first user.

          As long as first user was working, problem kept occurring. Later on, second user had no problem.

          From time to time I also have a principal = null although user is logged on. New trial sometimes solves the problem.

          Do you think this is a JBoss or a Tomcat (Session ?) problem ? I have no idea where to start.

          Wouter

          • 2. Re: Incorrect credentials after successful Authentication
            James Kuhn Newbie

            I'm using Jetty with JBoss 3.2.1.

            I haven't figured this one out yet. I'm hoping that one of my JBoss descriptors is
            inadvertently set to "Evil". I just need to figure out which one.

            Seriously though, I can't believe we are the only people experiencing this problem.
            Please let me know if you come across a solution.

            • 3. Re: Incorrect credentials after successful Authentication
              James Kuhn Newbie

              Actually, Wouter, I have one idea that you can investigate.

              I've noticed that when I use Netscape I get slightly different behavior.
              This leads me to believe that our problem has something to do with
              cookies, or something like that. When I say "different behavior", I mean that
              only the last servlet in the chain is being run with the incorrect credentials.
              The first couple servlets in the chain do indeed report the correct credentials.
              It's a small difference, but if it serves as a clue for you to run with... good luck.

              Please let me know if you have any progress. Thanks.

              • 4. Re: Incorrect credentials after successful Authentication
                Wouter Beheydt Newbie

                James,

                In another thread (http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t= I stumbled onto this comment from petertje.

                "Please note JKuhn that this can lead to suprising effects in your web application, because most servlet containers use thread-pooling ;-). So the next request might behave as not logged in, whereas requests that you are supposing are not logged in, seem to do...."

                If he' s correct, that would explain the behaviour we' re facing. But I can' t imagine this kind of random behaviour being built into a servlet container. I suppose there must be a configuration possible where that doesn' t occur. Let you know if I find more ...

                Wouter

                • 5. Re: Incorrect credentials after successful Authentication
                  James Kuhn Newbie

                  Yes, I'm aware of the request-thread issue. The fix for that problem is to set
                  up filters that pick the username and password off of the session, login before
                  every servlet request, and then log out after the servlet has completed.

                  The problem that I am experiencing is not a thread issue. All of my debug
                  output occurs on the same thread, yet it clearly shows that a login has occured
                  and the credentials are not matching the usernames that are being logged in.

                  Thanks for the suggestion though. Let me know if you're having any problems
                  with the thread-request issue.





                  • 6. Re: Incorrect credentials after successful Authentication
                    ebdr Newbie

                    Hi,

                    I am having the same problem. Filters seems to have fixed the problem for authenticated users, but I have a unauthenticatedIdentity = guest for my LoginModule for which this problem is still not fixed. So my only choice is to create a guest/guest user with role guest and have my filter do the login for all unauthenticated users....

                    Any comments?

                    -Eric

                    • 7. Re: Incorrect credentials after successful Authentication
                      James Kuhn Newbie

                      I'm not saying this is the right way to do it, but here is what I do:

                      I too have a "guest" user, but I require him to authenticate just like my
                      real application users. I put his username and password onto the session
                      for the filter to login just like real users. The difference is that I only give
                      him "Guest" privilages, as opposed to full access. This way, the "guest" can't really
                      do anything accept bring up the loggin page where real users enter their
                      username and password. After the real users have logged in, I replace the
                      guest's username and password on the session.

                      This is where my problems begin. It turns out that when my filter does a login
                      it is assigning the guest's credentials to the newly logged in user. Even though,
                      presumeably, JBoss should have already forgotten about the guest login.
                      I mean, the guest has been explicitly logged out, and his username and password
                      removed from the session variables. But his credentials are passed to the
                      new user when they log in.

                      Perhaps I should be using the guest as an unathenticated user
                      (as you are doing). I'm not sure it'll fix my incorrect-credentials issue, because
                      I have the exact same problem in my admin pages (a second part of the application).
                      And in my admin pages, there are no guest privilages. An authenticated
                      user is an authenticated user is an authenticated user. And, I'm seeing the
                      same incorrect-credentials problem there. Actually, my initial post in this thread is
                      based on the problems in my admin pages.

                      However, if changing my guest in the application pages to be an unauthenticated
                      user can fix that part of my code, then great. At this point I'm willing to try anything.

                      Thanks.