8 Replies Latest reply on Aug 2, 2010 5:26 AM by Gaurav Agarwal

    New LoginContext for each request...

    Vijay Phagura Newbie

      We have upgraded our JBoss from 3.2.1 to 3.2.3 (with tomcat). The security used to work fine in 3.2.1 but does not now, with JBOSS3.2.3. We are using DatabaseServerLoginModule and is configured in the login-config.xml as follows:

      <application-policy name = "sys1010Security">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName">java:/sys1010DS</module-option>
      <module-option name="principalsQuery">select password from User where userId=?</module-option>
      <module-option name="rolesQuery">select Roles, RoleGroup from UserRoles where userId=?</module-option>
      <!--module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=sys1010DS</module-option-->
      </login-module>

      </application-policy>


      It seems after the login page I have to get the LoginContext again for each page with the username and password from the login page. Otherwise I get the principle=null exception. This solution does not seem right ? Anyone any ideas what may be wrong ??

      Thanks in adv.

        • 1. Re: New LoginContext for each request...
          Scott Stark Master

          That is the expected behavior in 3.2.3. 3.2.1 could leak credentials back to the request thread pool and allow unauthenticated users to access secured content using someone else's credentials.

          • 2. Re: New LoginContext for each request...
            Janardhan Burugupalli Newbie

            I think this behaviour is only seen in case of servlets as clients and not in the case of standalone java cleints as it seems that the once u call the LoginContext.login() then it is associating the principal and credential to every call made from this client...

            But in the servlets or JSP's case its not and it is passing null, null in subsequent requests. So tha only solution is calling the logincontext.login() method on every request or did any one find a better solution.

            My problem is i have many JSP's and from there i access JavaBeans directly and these Java Beans directly interact with the Session Beans.

            And i hope you know the problem for every request if i have to assing the LoginContext ....it seems my future is dark ....it would be very nice if any one can suggest me a better solution which can be done without much code change.

            regards
            jani

            • 3. Re: New LoginContext for each request...
              Scott Stark Master

              Use a servlet filter or tomcat valve then.

              • 4. Re: New LoginContext for each request...
                Vijay Phagura Newbie

                I agree with Jani. And, also appreciate the response from scott. But could you please explain little bit more when you say, "Use a servlet filter or tomcat valve then", or point me to some more details on this.

                Thanks
                Vijay

                • 5. Re: New LoginContext for each request...
                  Janardhan Burugupalli Newbie

                  HI All,

                  Thanks scott, i used a filter to do this but i am not sure how to do it with a tomcat valve any way the filter looks like this

                   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                   throws IOException, ServletException
                   try
                   {
                   WorkServerWebEJBServiceLocator.getInstance().performLogin();
                   chain.doFilter(request, response);
                   }
                   catch (ServiceLocatorException aException)
                   {
                   cCat.error("WorkServerWebEJBServiceLocator Login error.");
                   cCat.debug("WorkServerWebEJBServiceLocator Login error.", aException);
                   }
                   finally
                   {
                   try
                   {
                   WorkServerWebEJBServiceLocator.getInstance().performLogout();
                   }
                   catch (ServiceLocatorException aException)
                   {
                   cCat.error("WorkServerWebEJBServiceLocator Logout error.");
                   cCat.debug("WorkServerWebEJBServiceLocator Logout error.", aException);
                   }
                   }
                  
                  
                  

                  I configured this filter for all URLs like using /* mapping . the performlogin and logout methods does the following
                   try
                   {
                   UsernamePasswordHandler tHandler = new UsernamePasswordHandler(iUserName,
                   iPassword.toCharArray());
                   iLoginContext = new LoginContext("client-login", tHandler);
                   iLoginContext.login();
                   cCat.info("Login With :" + iUserName + ":" + iPassword);
                   }
                   catch (LoginException aException)
                   {
                   cCat.error("Could not login for the LoginContext.");
                   }
                  
                  


                  i hope this will help

                  regards
                  jani

                  • 6. Re: New LoginContext for each request...
                    nivek Newbie


                    << That is the expected behavior in 3.2.3. 3.2.1 could leak credentials back to the request thread pool and allow unauthenticated users to access secured content using someone else's credentials. >>

                    Will this continue to be the same sort of behavior with 3.2.4? Thanks..

                    • 7. Re: New LoginContext for each request...
                      Vijay Phagura Newbie

                      Thanks to Jani for the code. Of course, Tomcat valve would be also helpful. Looking forward to an answer to nivek's query !!

                      Vijay

                      • 8. Re: New LoginContext for each request...
                        Gaurav Agarwal Newbie

                        hi ,

                         

                             I have checked you data , the thing is  even i have same issue that with every request i need to call again  login method logincontext ,

                         

                        other than filter how we  can d. If you have any solution for it please let me know . It's urgent  ...

                         

                         

                        Thanx...