1 Reply Latest reply on Dec 9, 2004 11:44 AM by Scott Stark

    How to handle extra JAAS callback

    Thomas Cherel Novice


      I am currenlty "playing" around an NT JAAS login module for JBoss.

      I managed to have a remote EJB client sending windows user name and password to the server via the JBoss client login module and the server authenticating the user against the windows domain.

      I wanted to go one step further and pass the windows domain name as part of the login information (user, password and domain).

      Obvioulsy, I can change the user name into a "domain name/user name", but I am curious to know what needs to be done to really add an extra Callback (like a TextInputCallback to ask for the windows domain) in the JBoss JAAS authentication process.

      On the client side, it seems that I need to write my own ClientLoginModule to replace the default JBoss one. Is this correct?

      The only other possiblity that I see is to create a client module that will be called before the JBoss one and that will create and populate a subject with the domain information. I am assuming that this subject will be passed along in the SecurityAssociation, so I can get it back on the server. Does it make sense?

      On the server side, either the subject trick above is working and then I can get back the domain information in my login module, either I have to write a replacement for the SecurityAssociationHandler.

      It seems a lot of work "just" to add an extra parameters to my login module. Am I missing something?

      Thanks.

      Thomas

        • 1. SSLPeerUnverifiedException "Error getting client certs" jbos
          Scott Stark Master

          Basically, can not get jboss https to work.
          It is not a browser issue since it can get https pages
          from a vast number of website - its a jboss config issue.

          Using JBoss-3.2.5

          In
          jboss/server/default/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml





          Note: 1) if one does not set the "SSLImplementation"
          then it assumse one is using the "puretsl" implementation and if
          one does not have it around, then one gets a class not found issue, and
          2) the attribute name MUST be "SSLImplementation", it can not be, for
          example, "sslImplementation" because jboss does not match setter/getter
          methods by first lower-casing both strings ... no, jboss only lower-cases
          the first character of the attribute name in the xml file....

          Near the top of the log, the Digester reads all of the attributes:

          2004-12-06 16:45:42,036 DEBUG [BeanUtils] jboss.web:service=WebServer
          EmbeddedCatalina4.1.x -
          BeanUtils.populate(org.apache.coyote.tomcat4.CoyoteServerSocketFactory@48f675,
          {protocol=TLS, keystorePass=tc-ssl, clientAuth=false,
          SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation,
          keystoreFile=/usr/local/ED/app/jboss/server/cs/conf/server.keystore,
          className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory})
          From the log I get:

          2004-12-06 16:46:15,850 INFO [Engine] - CoyoteConnector Coyote can't register
          jmx for protocol
          2004-12-06 16:46:15,867 INFO [Http11Protocol] - Starting Coyote HTTP/1.1 on
          port 50080
          2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soLinger: -1
          2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
          2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
          2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
          2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute jkHome:
          /usr/local/ED/app/jboss/server/default
          2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute port: 50443
          2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute maxThreads: 20
          2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute minSpareThreads: 5
          2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute maxSpareThreads: 5
          2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute backlog: 10
          2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
          2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soLinger: -1
          2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
          2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute timeout: 300000
          2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
          2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute
          maxKeepAliveRequests: 100
          2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute
          tomcatAuthentication: true
          2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute compression: off
          2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute address: /0.0.0.0
          2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute secure: true
          2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute algorithm: null
          2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute keystore:
          /usr/local/ED/app/jboss/server/default/conf/server.keystore
          2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute randomfile:
          /home/myhome/random.pem
          2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute rootfile:
          /home/myhome/root.pem
          2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute keystoreType: JKS
          2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute protocol: TLS
          2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute sslImplementation:
          org.apache.tomcat.util.net.jsse.JSSEImplementation
          2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - Truststore = null
          2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - TrustPass = tc-ssl
          2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - trustType = JKS

          Note that the keystore was picked up from the jboss-service.xml
          file.
          Also, note that the "clientAuth" was not picked up!!!!!!!

          I assume that this is printed by code in the class
          org/apache/coyote/tomcat4/CoyoteConnector.java:
          IntrospectionUtils.setProperty(protocolHandler, "jkHome",
          System.getProperty("catalina.base"));

          // Set attributes
          IntrospectionUtils.setProperty(protocolHandler, "port", "" + port);
          IntrospectionUtils.setProperty(protocolHandler, "maxThreads",
          "" + maxProcessors);
          IntrospectionUtils.setProperty(protocolHandler, "minSpareThreads",
          "" + minProcessors);
          IntrospectionUtils.setProperty(protocolHandler, "maxSpareThreads",
          "" + maxSpareProcessors);
          IntrospectionUtils.setProperty(protocolHandler, "backlog",
          "" + acceptCount);
          IntrospectionUtils.setProperty(protocolHandler, "tcpNoDelay",
          "" + tcpNoDelay);
          IntrospectionUtils.setProperty(protocolHandler, "soLinger",
          "" + connectionLinger);
          IntrospectionUtils.setProperty(protocolHandler, "soTimeout",
          "" + connectionTimeout);
          IntrospectionUtils.setProperty(protocolHandler, "timeout",
          "" + connectionUploadTimeout);
          IntrospectionUtils.setProperty(protocolHandler, "serverSoTimeout",
          "" + serverSocketTimeout);
          IntrospectionUtils.setProperty(protocolHandler, "disableUploadTimeout",
          "" + disableUploadTimeout);
          IntrospectionUtils.setProperty(protocolHandler, "maxKeepAliveRequests",
          "" + maxKeepAliveRequests);
          IntrospectionUtils.setProperty(protocolHandler, "tomcatAuthentication",
          "" + tomcatAuthentication);
          IntrospectionUtils.setProperty(protocolHandler, "compression",
          compression);
          if (address != null) {
          IntrospectionUtils.setProperty(protocolHandler, "address",
          address);
          }

          // Configure secure socket factory
          if (factory instanceof CoyoteServerSocketFactory) {
          IntrospectionUtils.setProperty(protocolHandler, "secure",
          "" + true);
          CoyoteServerSocketFactory ssf =
          (CoyoteServerSocketFactory) factory;
          IntrospectionUtils.setProperty(protocolHandler, "algorithm",
          ssf.getAlgorithm());
          IntrospectionUtils.setProperty(protocolHandler, "clientauth",
          ssf.getClientAuth());
          IntrospectionUtils.setProperty(protocolHandler, "keystore",
          ssf.getKeystoreFile());
          IntrospectionUtils.setProperty(protocolHandler, "randomfile",
          ssf.getRandomFile());
          IntrospectionUtils.setProperty(protocolHandler, "rootfile",
          ssf.getRootFile());

          IntrospectionUtils.setProperty(protocolHandler, "keypass",
          ssf.getKeystorePass());
          IntrospectionUtils.setProperty(protocolHandler, "keytype",
          ssf.getKeystoreType());
          IntrospectionUtils.setProperty(protocolHandler, "protocol",
          ssf.getProtocol());
          IntrospectionUtils.setProperty(protocolHandler,
          "sSLImplementation",
          ssf.getSSLImplementation());
          } else {
          IntrospectionUtils.setProperty(protocolHandler, "secure",
          "" + false);
          }


          Again, note that the "clientauth" value is not printed.

          Finally, when the brower is pointed at:

          https://myhost:50443/jmx-console

          the following appears in the log:

          2004-12-06 16:46:58,298 DEBUG [JSSE14Support] - Error getting client certs
          javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          at
          com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(DashoA12275)
          at
          org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:151)
          at
          org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:166)
          at
          org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1007)
          at org.apache.coyote.Response.action(Response.java:226)
          at
          org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:314)
          at
          org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
          at
          org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)
          at
          org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:711)
          at
          org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)
          at
          org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:687)
          at java.lang.Thread.run(Thread.java:534)
          2004-12-06 16:46:58,325 INFO [Engine] - StandardHost[localhost]: MAPPING
          configuration error for request URI
          2004-12-06 16:46:58,326 INFO [Engine] - StandardHost[localhost]: MAPPING
          configuration error for request URI

          If you do not have logging set to DEBUG, all you get is the "MAPPING"
          INFO log ...


          So, the Http11Processor in its "action" method is has been passed
          the value "ActionCode.ACTION_REQ_SSL_CERTIFICATE".

          Please, whats going on?
          How does one tell jboss to look at the "clientAuth=false" attribute?

          Thanks



          One would think that accessing JBoss via https would be easier to configure.