2 Replies Latest reply on Jun 21, 2004 12:05 PM by voxa2001

    JBoss 4DR4 issue with jaas

    voxa2001 Newbie

      hi. i try porting an application from jboss 3.2.1 to 4.0.0 DR4. it works so far - only the jaas module fails with a crazy failure.

      when i do login, the principal and role are permuted.

      that means in the userPrincipal Parameter in the request object is in jboss 4 the role name, not the principal name after the authentication.

      where can i find more information about the jaas module from jboss 4.0.0? what has changed?

      here is my login-config part, which is working in jboss 3.2.1:

      <application-policy name = "xavoportal">
       <authentication>
       <login-module code = "de.xavo.jboss.security.auth.spi.XavoDatabaseServerLoginModule" flag = "required">
       <module-option name = "dsJndiName">java:XavoportalDataSource</module-option>
       <module-option name = "principalsQuery">select PASSWORD from LOGIN where upper(LOGIN_NAME)=upper(?)</module-option>
       <module-option name = "rolesQuery">select a.Role, a.ROLEGROUP from(select USER_GROUP.GROUP_ROLE Role, 'Roles' RoleGroup, LOGIN_NAME from USER_GROUP, LOGIN,LOGIN_USER_GROUP where LOGIN.login_id = LOGIN_USER_GROUP.login_id and user_group.user_group_id = LOGIN_USER_GROUP.user_group_id union select USER_GROUP.GROUP_ROLE Role, 'CallerPrincipal' RoleGroup , LOGIN_NAME from USER_GROUP, LOGIN,LOGIN_USER_GROUP where LOGIN.login_id = LOGIN_USER_GROUP.login_id and user_group.user_group_id = LOGIN_USER_GROUP.user_group_id ) a where upper(LOGIN_NAME)=upper(?)</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      any ideas?

        • 1. Re: JBoss 4DR4 issue with jaas
          Scott Stark Master

          Any change like this would be a bug. Your saying the authenticated Principal.getName() is a role rather than a valid user name? Via what interface are you obtaining the Principal?

          • 2. Re: JBoss 4DR4 issue with jaas
            voxa2001 Newbie

             

            "scott.stark@jboss.org" wrote:
            Any change like this would be a bug. Your saying the authenticated Principal.getName() is a role rather than a valid user name?


            Yes. This is the way i use it.

            Via what interface are you obtaining the Principal?


            with a extended DatabaseServerLoginModule, which is only extended for the decrypting of passwords... Everything else is standard. Perhaps you can check this? The passwordcheck seems correct, because the role is correct for the user.