5 Replies Latest reply on Nov 6, 2003 12:19 AM by Binoy Shah

    Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not working

    Binoy Shah Newbie

      Migration Problem

      Hello,

      I am working on JBoss 3.2.1 and using Jetty as web-container

      We have our application secured by BASIC auth-method and on accessing
      the servlet on JBoss 3.2.1 + Jetty every thing is working perfectly fine, ie Basic Authentication
      takes place as the browser prompts for the authentication dialogue box.

      But while trying to migrate to JBoss 3.2.2 which comes integrated by default with Tomcat 4.1x,
      the deployment is successful and the main context displays the welcome login page
      But when i try to use the application which needs Authentication , the browser doesnt ask
      for credentials , Browser DOES NOT prompt me with
      the username/password dialogue box, and the EJB Container reports the authentication failure.

      server.log
      ******************************************************************************
      2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
      2003-10-28 14:13:13,838 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
      ...
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      ...
      at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:119)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
      ...
      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:220)
      at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
      ...
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
      at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
      ...
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
      at java.lang.Thread.run(Thread.java:534)
      2003-10-28 14:13:13,854 INFO [STDOUT] RemoteException : java.rmi.ServerException: EJBException:; nested exception is:
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
      Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[Doctor, SuperUser, Receptionist, Technician, KennelOperator, Groomer, Accountant], principalRoles=[]
      2003-10-28 14:13:13,870 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[SecureLoginUIServlet]: Servlet.service() for servlet SecureLoginUIServlet threw exception
      java.lang.NullPointerException
      at SYS.UserInterface.SecureLoginUIServlet.doGet(SecureLoginUIServlet.java:149)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
      ...
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)

      ******************************************************************************

      web.xml
      ******************************************************************************
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>servlet</web-resource-name>
      Declarative security tests
      <url-pattern>/PracticeVeterinary/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      Any user with a valid login
      <role-name>ValidUser</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>example2</realm-name>
      </login-config>
      <security-role>
      A user allowed to invoke echo methods
      <role-name>Echo</role-name>
      </security-role>
      ******************************************************************************

      jboss-web.xml
      ******************************************************************************
      <jboss-web>
      <security-domain>java:/jaas/example2</security-domain>
      ....
      </jboss-web>
      ******************************************************************************

      login-conf.xml
      ******************************************************************************
      <application-policy name = "example2">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name = "dsJndiName">java:/sscdb</module-option>
      <module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
      <module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
      </login-module>

      </application-policy>
      ******************************************************************************

      ejb-jar.xml
      ******************************************************************************
      ...

      SYS.SecureLoginBean
      <display-name>SecureLoginBean</display-name>
      <ejb-name>SecureLoginBean</ejb-name>
      SYS.ProblemDomain.SecureLoginHome
      SYS.ProblemDomain.SecureLogin
      <ejb-class>SYS.ProblemDomain.SecureLoginBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>
      <resource-ref>
      <res-ref-name>jdbc/sscdb</res-ref-name>
      <res-type>javax.sql.DataSource</res-type>
      <res-auth>Container</res-auth>
      </resource-ref>

      <assembly-descriptor>
      <security-role>
      <role-name>SuperUser</role-name>
      </security-role>
      <security-role>
      <role-name>ValidUser</role-name>
      </security-role>
      </assembly-descriptor>
      ...
      ******************************************************************************

      Why does the above application work with Jboss 3.2.1 + Jetty and DOesnt work with
      JBoss 3.2.2 + Tomcat.

      It fails to produce an authentication dialog box (BASIC) auth when it is run on Jboss+Tomcat version


      Any views ..?

      Swatkat

        • 1. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor
          Juha Lindfors Master

          In your web.xml I can see you've declared a security role "Echo" but nothing for "ValidUser" which is the authorization you require in auth-constraint section.

          -- Juha

          • 2. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor
            Binoy Shah Newbie

            But the same thing works with Jetty version of 3.2.2,
            secondly, I dont get the BASIC login prompt when i access the resource that is under context /PracticeVeterinary, I wonder why .?

            --swatkat

            • 3. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor
              Juha Lindfors Master

              Why don't you just add that declaration since it is mandatory and try to get your app to run with a correctly formed deployment descriptors.

              -- Juha

              • 4. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor
                Binoy Shah Newbie

                Okay,
                here is what i did, as you told, i added the same role that was being expected as an auth constraint in the web.xml file

                Here's what my web.xml looks like:
                --------------------------------------------------------------------------
                <session-config>
                <session-timeout>30</session-timeout>
                </session-config>
                <error-page>
                <exception-type>java.lang.SecurityException</exception-type>
                /PracticeWebApplication/html/Security.html
                </error-page>
                <error-page>
                <exception-type>java.lang.RemoteException</exception-type>
                /PracticeWebApplication/html/RMI.html
                </error-page>
                <error-page>
                <error-code>401</error-code>
                /html/bad_password.htm
                </error-page>
                <security-constraint>
                <web-resource-collection>
                <web-resource-name>servlet</web-resource-name>
                Declarative security tests
                <url-pattern>/servlet/*</url-pattern>
                <http-method>HEAD</http-method>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
                <http-method>PUT</http-method>
                <http-method>DELETE</http-method>
                </web-resource-collection>
                <auth-constraint>
                Any user with a valid login
                <role-name>ValidUser</role-name>
                </auth-constraint>
                <user-data-constraint>
                no description
                <transport-guarantee>NONE</transport-guarantee>
                </user-data-constraint>
                </security-constraint>
                <login-config>
                <auth-method>BASIC</auth-method>
                <realm-name>example2</realm-name>
                </login-config>
                <security-role>
                A user allowed to invoke any methods
                <role-name>ValidUser</role-name>
                </security-role>

                ....
                -----------------------------------------------------------------------------

                The the main page of the application is located at the url http://host:8080/PracticeWebApplication/html/loginpage.html

                On that i have a submit button that invokes
                http://host:8080/PracticeWebApplication/servlet/LoginServlet

                Ideally it prompts me for a username/password when i deploy it on Jetty 4.2, but it fails to do so on the Tomcat version.

                Am i doing it wrong somewhere ?

                • 5. Re: Migration Woes: Jboss 3.2.1 to 3.2.2, BASIC Auth not wor
                  Binoy Shah Newbie

                  Hello Juha,

                  I think I FOUND THE PROBLEM AREA in my migration deployment, in my web.xml I have a tag for displaying custom error:

                  <error-page>
                  <error-code>401</error-code>
                  /html/bad_password.htm
                  </error-page>

                  Now this page should ideally be displayed when there is invalid password, but in my case instead of displaying the basic Auth dialogue, the browser just redirects to the above said page ie. bad_password.htm

                  Why is Tomcat behaving in this certain fashion instead..?

                  Jetty works okay with the above <error-page> tag and correctly first prompts for Username and Password and then on failure it displays the page.

                  Any views..?

                  Regards

                  Swatkat