6 Replies Latest reply on Apr 25, 2005 11:46 AM by Stéphane Vandenbussche

    Losing my principals.

    Jon Hurwitz Newbie

      First, sorry if this is a variation of an old problem. I'm new at this and not all the documentation is making sense yet.

      I'm trying to get some basic authentication set up. I'm using jboss3.2.2/tomcat (but I'm happy to upgrade if needed) and jdk1.4. My main objective is to know who is using the application so I can provide variable pages. I want people to log in when they hit the first page (whichever they go for) in the application and all pages will then render differently using programmatic code accessed from the jsp.

      My problem is that whenever I call down to a service provided by a session ejb, the principal is lost. I can't access it from the session context and on return it's no longer available to the httpServletRequest. I'm using the same security domain name at both levels and have tried it with BASIC and FORM authorization methods. As long as I'm just moving from page to page (using struts), everything is fine.

      I'm not sure what you guys will need to see. The configuration for FORM uses SSL for the login page, but the BASIC one doesn't even do that. The config I used for BASIC is:

      web.xml

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>AllJSPs</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>everyone</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>User-Basic-Authentication</realm-name>
      </login-config>

      <security-role>
      The role required to access restricted content
      <role-name>everyone</role-name>
      </security-role>

      (To force everyone to log on immediately)


      jboss-web.xml

      <jboss-web>
      <security-domain>java:/jaas/User-Basic-Authentication</security-domain>
      </jboss-web>


      jboss.xml

      <security-domain>java:/jaas/User-Basic-Authentication</security-domain>


      jboss-service.xml



      jboss.security:service=XMLLoginConfig





      login-config.xml



      <!-- JAAS security manager and realm mapping -->


      org.jboss.security.plugins.JaasSecurityManager











      jboss-service.xml (in the -tomcat41.sar\meta-inf subdirectory)

      <!-- A HTTP/1.1 Connector on port 8082 -->



      login-conf.xml

      <application-policy name = "User-Basic-Authentication">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>


      Any thoughts or pointers would be much appreciated.


      Cheers,

      Jon

        • 1. Re: Losing my principals.
          Jon Hurwitz Newbie

          Sorry, the configuration didn't come through properly last time, here it is again.

          web.xml

          <security-constraint>
           <web-resource-collection>
           <web-resource-name>AllJSPs</web-resource-name>
           <url-pattern>*.jsp</url-pattern>
           </web-resource-collection>
           <auth-constraint>
           <role-name>everyone</role-name>
           </auth-constraint>
           </security-constraint>
          
           <login-config>
           <auth-method>BASIC</auth-method>
           <realm-name>User-Basic-Authentication</realm-name>
           </login-config>
          
           <security-role>
           <description>The role required to access restricted content</description>
           <role-name>everyone</role-name>
           </security-role>

          (To force everyone to log on immediately)


          jboss-web.xml

          <jboss-web>
           <security-domain>java:/jaas/User-Basic-Authentication</security-domain>
          </jboss-web>


          jboss.xml

          <security-domain>java:/jaas/User-Basic-Authentication</security-domain>


          jboss-service.xml

          <mbean code="org.jboss.security.plugins.SecurityConfig"
           name="jboss.security:service=SecurityConfig">
           <attribute name="LoginConfig">
           jboss.security:service=XMLLoginConfig
           </attribute>
           </mbean>
          
           <mbean code="org.jboss.security.auth.login.XMLLoginConfig"
           name="jboss.security:service=XMLLoginConfig">
           <attribute name="ConfigResource">
           login-config.xml
           </attribute>
           </mbean>
          
           <!-- JAAS security manager and realm mapping -->
           <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
           name="jboss.security:service=JaasSecurityManager">
           <attribute name="SecurityManagerClassName">
           org.jboss.security.plugins.JaasSecurityManager
           </attribute>
           </mbean>
          
           <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
           name="jboss.security:service=JaasSecurityDomain, domain=User-Basic-Authentication">
           <constructor>
           <arg type="java.lang.String" value="User-Basic-Authentication" />
           </constructor>
           </mbean>



          jboss-service.xml (in the -tomcat41.sar\meta-inf subdirectory)

          <!-- A HTTP/1.1 Connector on port 8082 -->
           <Connector
           className="org.apache.coyote.tomcat4.CoyoteConnector"
           port="8082" minProcessors="5" maxProcessors="100"
           redirectPort="8443" enableLookups="true"
           acceptCount="10" debug="0"
           securityDomainName="java:/jaas/User-Basic-Authentication"
           connectionTimeout="20000" useURIValidationHack="false"/>


          login-conf.xml

          <application-policy name = "User-Basic-Authentication">
           <authentication>
           <login-module
           code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
           flag = "required" />
           </authentication>
           </application-policy>



          • 2. Re: Losing my principals.
            Stéphane Vandenbussche Newbie

            Hi Jon,
            Have you tried adding the following

            <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>

            after the UsersRolesLoginModule?

            Doing this solved the same problem for me. I'm using a custom login module however.

            Cheers,
            Stephane

            • 3. Re: Losing my principals.
              Jon Hurwitz Newbie

              Yes, Stephane; thanks for the suggestion. I had read that it was a solution for custom modules, but I've tried it nonetheless.

              Jon

              • 4. Re: Losing my principals.
                Scott Stark Master

                I would need to see an example that illustrates the ejb call. It sounds like you are making a call from an unsecured web component, or are clearing the security context through improper use of some security api. There have been issues fixed when one is interacting with some services like the rmi adaptor, so you could try 3.2.7 or 4.0.1sp1 so see if that is the issue.

                • 5. Re: Losing my principals.
                  Jon Hurwitz Newbie

                  Ah, yes. I am making the call from an unsecured element. I'm using struts, and the call is from the action class, through a service level facade, to the sesion ejb. Only the jsps were defined as secured in the web collection.

                  If I secure everything in the web-collection (using url-pattern /*) the principal is recognized in the session ejb and is available to the next page, so it looks like that's the cause.

                  Thanks very much. I only wish I'd asked here last week before the dent in the wall made by my head had become so deep.


                  Cheers,

                  Jon

                  • 6. Re: Losing my principals.
                    Stéphane Vandenbussche Newbie

                    Hi,
                    I'm also using Struts, a business delegate layer, a ejb session facade layer etc.

                    I was wondering if the BASIC, FORM, DIGEST etc. configs were mandatory in order for not losing principals on the EJB side? I think not, but I'm not quit sure.

                    The Subject I retrieve after authentication is stored in httpsession by me and it stays there, so no problem on that part.

                    After successful user login, the first remote ejb call works well (according to defined role/method permissions in the ejb DD) and the ejb login module pushes the user role as expected.

                    The problem is the following:
                    On the second (and same) remote ejb call, principal and credential are still being passed, but my ejb login module is not being called anymore.

                    As a natural consequence, the role is not found (null) and a security exception is thrown by the ejb container.

                    Could this be somehow related to Jon's web config problem? (I doubt about that)


                    login-config.xml

                    <application-policy name="SiglesLogin">
                     <authentication>
                     <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
                     <login-module code="fr.paris.dsti.sigles.frontend.security.auth.SimpleLoginModule" flag="required"/>
                     <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
                     </authentication>
                    </application-policy>
                    
                    <application-policy name="SiglesEjb">
                     <authentication>
                     <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                     <module-option name="multi-threaded">true</module-option>
                     </login-module>
                    
                     <login-module code="fr.paris.dsti.sigles.frontend.security.auth.JBossEjbLoginModule" flag="required" />
                    
                     <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                     <module-option name="multi-threaded">true</module-option>
                     </login-module>
                    
                     </authentication>
                    </application-policy>
                    


                    web.xml and jboss-web.xml
                    *** I did not configure any security in these files ***


                    jboss.xml
                    <security-domain>java:/jaas/SiglesEjb</security-domain>
                    ...plus role declaration and method perission...