2 Replies Latest reply on Feb 15, 2005 2:21 PM by John Anderson

    Wrong LoginModule?

    John Anderson Newbie

      Hello all. I'm brand new to JBoss Security and JAAS, so I'll just jump right in here.

      I have a simple application and a simple JSP. I want to secure access to the JSP based on a role. The role who should be able to access the JSP (report.jsp) is "userAdmin".

      To the jboss-web.xml I've added:

      <security-domain>java:/jaas/kickstart</security-domain>
      


      To the web.xml I've added:

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>Allow userAdmin(s) access to report.jsp
       </description>
       <url-pattern>/report.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>userAdmin</role-name>
       </auth-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>Kickstart</realm-name>
       </login-config>
      
       <security-role>
       <role-name>userAdmin</role-name>
       </security-role>
      


      To the login-config.xml I've added:
       <application-policy name="kickstart">
       <authentication>
       <login-module code="com.ccbill.kickstart.support.auth.CCBLoginModule" flag="required">
       </login-module>
       </authentication>
       </application-policy>
      


      The CCBLoginModule code I have added by implementing LoginModule and I'm deploying it with the application (i.e. this code is bundled in the .ear).

      When I try to access http://host:443/kickstart/report.jsp I get prompted with a standard login dialogue. However, when I OK that dialoge I don't get authenticated. After looking at the logs I discovered why:

      2005-02-14 14:47:04,102 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /kickstart/report.jsp
      2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /report.jsp --> true
      2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
      2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
      2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
      2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.JAASRealm] Authenticating jboss.web admin
      2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.JAASRealm] Login context created admin
      2005-02-14 14:47:04,111 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=admin
      2005-02-14 14:47:04,112 DEBUG [org.apache.catalina.realm.JAASRealm] Username admin NOT authenticated due to failed login
      2005-02-14 14:47:04,112 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
      2005-02-14 14:47:08,190 DEBUG [org.apache.coyote.http11.Http11Protocol] IOException reading request
      


      According to the log, specifically "[org.jboss.security.auth.spi.UsersRolesLoginModule]" that line, JBoss is still using UsersRolesLoginModule to authenticate report.jsp. I've looked into it, and it looks like this module is set to fire when the "other" security domain is invoked, but I've deployed my application to use the kickstart security domain. What am I missing in the way of configuration to make JBoss use the kickstart security domain?

      Thanks in advance for straightening me out.

        • 1. Re: Wrong LoginModule?
          John Anderson Newbie

          Actually, I've identified the problem, but I still dont' have a solution. It seems that every web app, inlcuding jmx-console and web-console are authenticating using the "other" entry in login-config.xml. I know this because when I comment out the " <application-policy name = "web-console">" section of the login-config.xml nothing changes. When I comment out the "<application-policy name = "other"> section I get an exception "no LoginModule found for Jboss.Web".

          What could cause jmx-console, web-console and my application to use the LoginModule in the "other" section instead of the login module specified by the <application-policy> section corresponding to their <security-domain>?

          • 2. Re: Wrong LoginModule?
            John Anderson Newbie

            I'm not sure what the problem was but every single one of the security domains was definately using the "other" entry in login-config.xml. I was 99% sure this was due to some configuration error of mine though I couldn't find it. I ended up re-installing JBoss and starting the configuration from scratch. It works like a champs now.