8 Replies Latest reply on Mar 23, 2006 3:07 PM by Thomas Klem

    JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL & IE

    Anthony Law Newbie

      Ok I've narrowed it down to a Tomcat 5 bug/feature:

      http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27122

      About 1/2 way down the comments:

      ------- Additional Comments From william.barker@wilshire.com 2004-02-25 22:07 -------

      And we have finally found the problem. In an attempt to try and work around some broken client (I can't be bothered to go back and see which one), Tomcat5 started adding adding the "don't cache" headers even for SSL requests. I'm in a very small minority of disliking this "feature", so it is unlikely to change.

      The work-around is to configure the Authenticator yourself:

      <Context path="/myapp" docBase="myapp">
       <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
       disableProxyCaching="false" />
       </Context>


      Does anyone know how & where I can configure this in a JBoss-3.2.5 environemnt? Ie if I have a EAR file to deploy, "myapp.ear" with contents:
      - myapp-ejb.jar
      - myapp-web.war
      - application.xml
      - jboss-app.xml
      - etc...

      Also, this webapp is to be the default context, if it makes a different.

      I've tried adding something to jbossweb-tomcat50.sar\server.xml but I can't figure out the correct syntax.

      Thanks.

        • 1. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
          Anthony Law Newbie

          Ok I've narrowed it down to a Tomcat 5 bug/feature:

          http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27122

          About 1/2 way down the comments:

          ------- Additional Comments From william.barker@wilshire.com 2004-02-25 22:07 -------

          And we have finally found the problem. In an attempt to try and work around some broken client (I can't be bothered to go back and see which one), Tomcat5 started adding adding the "don't cache" headers even for SSL requests. I'm in a very small minority of disliking this "feature", so it is unlikely to change.

          The work-around is to configure the Authenticator yourself:

          <Context path="/myapp" docBase="myapp">
           <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
           disableProxyCaching="false" />
           </Context>


          Does anyone know how & where I can configure this in a JBoss-3.2.5 environemnt? Ie if I have a EAR file to deploy, "myapp.ear" with contents:
          - myapp-ejb.jar
          - myapp-web.war
          - application.xml
          - jboss-app.xml
          - etc...

          Also, this webapp is to be the default context, if it makes a different.

          I've tried adding something to jbossweb-tomcat50.sar\server.xml but I can't figure out the correct syntax.

          Thanks.

          • 2. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
            Scott Stark Master

            jboss-3.2.5 does not support context level overrides. jboss-3.2.6 supports a WEB-INF/context.xml descriptor that allows one to customize a war context. The custom valve would be added by including a myapp-web.war/WEB-INF/context.xml with:

            <Context>
             <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
             disableProxyCaching="false" />
            </Context>
            


            With this the headers for the jmx-console secured using form auth look like:

            http://localhost:8080/jmx-console/
            
            GET /jmx-console/ HTTP/1.1
            Host: localhost:8080
            User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            Accept-Language: en-us,en;q=0.5
            Accept-Encoding: gzip,deflate
            Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
            Keep-Alive: 300
            Connection: keep-alive
            Cookie: JSESSIONID=73BBE64CC7EE140B8BE9564A3674B5C2
            
            HTTP/1.x 200 OK
            Set-Cookie: JSESSIONID=544A25A77D9EEBB2AD92719D5B63262F; Path=/jmx-console
            Etag: W/"711-1098230852000"
            Last-Modified: Wed, 20 Oct 2004 00:07:32 GMT
            Content-Type: text/html
            Content-Length: 711
            Date: Wed, 20 Oct 2004 00:24:10 GMT
            Server: Apache-Coyote/1.1
            ----------------------------------------------------------
            


            Without this or with the disableProxyCaching=true there are Pragma: No-cache and Cache-Control: no-cache headers in the replies:

            http://localhost:8080/jmx-console/
            
            GET /jmx-console/ HTTP/1.1
            Host: localhost:8080
            User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            Accept-Language: en-us,en;q=0.5
            Accept-Encoding: gzip,deflate
            Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
            Keep-Alive: 300
            Connection: keep-alive
            Cookie: JSESSIONID=544A25A77D9EEBB2AD92719D5B63262F
            
            HTTP/1.x 200 OK
            Pragma: No-cache
            Cache-Control: no-cache
            Expires: Wed, 31 Dec 1969 16:00:00 PST
            Etag: W/"711-1098230852000"
            Last-Modified: Wed, 20 Oct 2004 00:07:32 GMT
            Content-Type: text/html
            Content-Length: 711
            Date: Wed, 20 Oct 2004 00:27:13 GMT
            Server: Apache-Coyote/1.1
            ----------------------------------------------------------
            



            • 3. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
              Anthony Law Newbie

              Many thanks Scott!

              That did the trick & I'm sure other developers will be happy to know this as well, since the issue applies to Flash, PDF, MS Office files, etc etc.

              • 4. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
                Thomas Klem Newbie

                I attempted to create a context.xml file with contents as follows:

                <?xml version="1.0" encoding="ISO-8859-1"?>
                
                <Context reloadable="true">
                 <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
                 disableProxyCaching="false" />
                </Context>


                When I run the server on JBoss 3.2.7 on my Windows XP local machine, the SSL fix for IE only works if the web.xml that does the user name and password is renamed to web.xml.bak, turning off usernames and passwords. The code from that file follows:

                <?xml version="1.0" encoding="ISO-8859-1"?>
                
                <!DOCTYPE web-app
                 PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
                 "http://java.sun.com/dtd/web-app_2_3.dtd">
                
                <web-app>
                
                <security-constraint>
                 <web-resource-collection>
                 <web-resource-name>resourcename</web-resource-name>
                 <description>An example security config that only allows users with the
                 role myrole to access the web application
                 </description>
                 <url-pattern>/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
                 </web-resource-collection>
                 <auth-constraint>
                 <role-name>myrole</role-name>
                 </auth-constraint>
                </security-constraint>
                
                
                 <login-config>
                 <auth-method>BASIC</auth-method>
                 <realm-name>myrealm</realm-name>
                 </login-config>
                
                 <security-role>
                 <role-name>myrole</role-name>
                 </security-role>
                
                </web-app>


                Is the problem that I'm using basic authentication, or is there another problem with the code? Both files are in the WEB-INF folder of the application.

                • 5. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
                  Andy W. Clements Newbie

                  Hello,

                  So I was getting Pragma: no-cache and Cache-Control: no-cache in my headers with IE6 so, I created the myapp.war/WEB-INF/context.xml with the following content:

                  <Context>
                   <Valve className="org.apache.catalina.authenticator.FormAuthenticator" disableProxyCaching="false" />
                  </Context>



                  However, I get the following error:

                  13:46:55,101 WARN [FormAuthenticator] Unexpected error forwarding to login page
                  java.lang.NullPointerException
                   at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:238)
                   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
                   at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
                   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                   at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:481)
                   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
                   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
                   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                   at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                   at java.lang.Thread.run(Thread.java:595)
                  

                  Now, I am using BASIC authentication, but I am assuming (possibly incorrectly) that my valve should use the form authentication. Becuase, hey, that's what the example is using.

                  Looking at the FormAuthenticator.java code... line 238 is this:

                  response.sendError(HttpServletResponse.SC_FORBIDDEN,sm.getString("authenticator.requestBodyTooBig"));
                  

                  in this try/catch block:

                  // No -- Save this request and redirect to the form login page
                   if (!loginAction) {
                   session = request.getSessionInternal(true);
                   if (log.isDebugEnabled())
                   log.debug("Save request in session '" + session.getIdInternal() + "'");
                   try {
                   saveRequest(request, session);
                   } catch (IOException ioe) {
                   log.debug("Request body too big to save during authentication");
                   response.sendError(HttpServletResponse.SC_FORBIDDEN,
                   sm.getString("authenticator.requestBodyTooBig"));
                   return (false);
                   }
                   forwardToLoginPage(request, response, config);
                   return (false);
                   }
                  

                  So, it looks like the Authenticator was trying to warn that the request body was too big, but failed because the response was null (which is kind of hard to believe). This is assuming that the tomcat5.5 source matches the jboss 4.0.2 binaries.....

                  so, I'm kind of stuck as to what to do .... am I missing some small configuration issue? Is there another way to solve the problem of no-cache
                  if I'm using BASIC authenticator?

                  Any help would be appreciated!



                  • 6. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
                    Andy W. Clements Newbie

                    Hey Forum Folks!

                    Well, I found my fix. Appearantly, I incorrectly assumed that FormAuthenticator should be used in the context.xml. Since I am using the BasicAuthenticator for authentication, my context.xml needed to look like this:

                    <Context>
                     <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" disableProxyCaching="false" />
                    </Context>
                    


                    and WA-LA, it works!

                    If you are reading this, I hope it helps.

                    --Andy

                    • 7. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
                      Thomas Klem Newbie

                      I am having trouble getting this to work. I've put the following code into a context.xml file in the WEB-INF director.





                      However, I don't know if this is a complete context.xml file. Is there a sample file out there somewhere that I haven't been able to find?

                      • 8. Re: JBoss 3.2.5 Will Not Load Embedded Obj Under JAAS & SSL
                        Thomas Klem Newbie

                        Sorry, I used the instant reply instead of the main reply function. Here's the code for the context.xml file.

                        <?xml version="1.0" encoding="ISO-8859-1"?>
                        
                        <Context reloadable="true">
                         <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
                         disableProxyCaching="false" />
                        </Context>