13 Replies Latest reply on Jun 24, 2005 10:17 AM by Alec Missine

    Roles don't make it into Tomcat when using Windows

    Tim McCune Novice

      JBoss 4.0.1
      This is really bizarre. We've been using JAAS authentication with a variety of login modules for quite a while. Everything works fine under Linux. We have a new web app that needs to run on Windows. When we deploy the app on JBoss under Windows, the users can authenticate fine in Tomcat, but Tomcat loses all of the user's roles. I've tried this with a variety of login modules and a variety of web authentication methods (form, basic, etc.) Nothing works under Windows. It all works great under Linux. Any idea what's going on?? I turned on trace and debug and here's the relevant snippets of log messages when using the UsersRolesLoginModule and form-based authentication:

      Linux:
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'DFB505752D102F5142A3FA3F1E31425A'
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'blah' with type 'FORM'
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[blah(user,)]
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.realm.RealmBase] Username blah has role user
      2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints


      Windows:
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'DA6B324054950D0C421CBAFC48061A1D'^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'blah' with type 'FORM'^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[blah()]^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] Username blah does NOT have role user^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] No role found: user^M
      2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test^M


      Notice that the GenericPrincipal that the RealmBase is checking on Linux looks like blah(user,) and the one on Windows looks like blah(). The "user" role is just vanishing on Windows.

      These 2 systems are using the EXACT same JBoss installation, server config, and war file. The only difference is the OS. I'm about to start digging into the source code but thought I'd post a plea for help here first.

        • 1. Re: Roles don't make it into Tomcat when using Windows
          Alec Missine Newbie

          Seems like I'm having the same issue with 4.0.2... Question: HOW DO I TURN ON TRACE AND DEBUG?

          "javajedi" wrote:
          JBoss 4.0.1
          This is really bizarre. We've been using JAAS authentication with a variety of login modules for quite a while. Everything works fine under Linux. We have a new web app that needs to run on Windows. When we deploy the app on JBoss under Windows, the users can authenticate fine in Tomcat, but Tomcat loses all of the user's roles. I've tried this with a variety of login modules and a variety of web authentication methods (form, basic, etc.) Nothing works under Windows. It all works great under Linux. Any idea what's going on?? I turned on trace and debug and here's the relevant snippets of log messages when using the UsersRolesLoginModule and form-based authentication:

          Linux:
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'DFB505752D102F5142A3FA3F1E31425A'
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'blah' with type 'FORM'
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[blah(user,)]
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.realm.RealmBase] Username blah has role user
          2005-06-09 12:03:55,997 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints


          Windows:
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'DA6B324054950D0C421CBAFC48061A1D'^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'blah' with type 'FORM'^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[blah()]^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] Username blah does NOT have role user^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.realm.RealmBase] No role found: user^M
          2005-06-09 11:34:26,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test^M


          Notice that the GenericPrincipal that the RealmBase is checking on Linux looks like blah(user,) and the one on Windows looks like blah(). The "user" role is just vanishing on Windows.

          These 2 systems are using the EXACT same JBoss installation, server config, and war file. The only difference is the OS. I'm about to start digging into the source code but thought I'd post a plea for help here first.


          • 2. Re: Roles don't make it into Tomcat when using Windows
            Tim McCune Novice

             

            <category name="org.jboss.security"><priority value="TRACE" class="org.jboss.logging.XLevel"/></category>
             <category name="org.apache.catalina"><priority value="DEBUG"/></category>
             <category name="org.apache.coyote"><priority value="DEBUG"/></category>


            Add those lines to /usr/local/jboss/server/default/conf/log4j.xml.

            • 3. Re: Roles don't make it into Tomcat when using Windows
              Alec Missine Newbie

              Thanks. It appears I am having the same issue on WXP, haven't tried it on Linux yet:

              2005-06-10 13:59:00,488 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'alec' authenticated, loginOk=true
              2005-06-10 13:59:00,488 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
              2005-06-10 13:59:00,488 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role admin
              2005-06-10 13:59:00,504 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] updateCache, subject=Subject:
              Principal: alec
              Principal: admins(members:admin)

              2005-06-10 13:59:00,504 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b9979b[Subject(9463139).principals=[alec, admins(members:admin)],credential.class=java.lang.String@27837671,expirationTime=1118428140473]
              2005-06-10 13:59:00,504 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] End isValid, true
              2005-06-10 13:59:00,504 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
              Principal: alec
              Principal: admins(members:admin)
              , principal=alec
              2005-06-10 13:59:00,504 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b9979b[Subject(9463139).principals=[alec, admins(members:admin)],credential.class=java.lang.String@27837671,expirationTime=1118428140473]
              2005-06-10 13:59:00,504 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] getUserRoles, subject: Subject:
              Principal: alec
              Principal: admins(members:admin)

              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'alec' was successful
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/TradingDemo/details.html'
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/TradingDemo/j_security_check
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is C0E46E89922DDAD58D406744F5144901
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /TradingDemo/details.html
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[All resources]' against GET /details.html --> true
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'C0E46E89922DDAD58D406744F5144901'
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'alec' with type 'FORM'
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[alec()]
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.realm.RealmBase] Username alec does NOT have role admin
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.realm.RealmBase] No role found: admin
              2005-06-10 13:59:00,519 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test

              • 4. Re: Roles don't make it into Tomcat when using Windows
                Alec Missine Newbie

                In my case (JBoss 4.0.2), it does not work on Linux either (please see the log below) - and this, hopefully, increases chances that the issue will be addressed (otherwise, both JBoss & Tomcat teams would just blame Windoze and that would be it)...

                2005-06-13 15:45:21,960 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'alec' authenticated, loginOk=true
                2005-06-13 15:45:21,974 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role admin
                2005-06-13 15:45:21,979 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] updateCache, subject=Subject:
                Principal: alec
                Principal: admins(members:admin)

                2005-06-13 15:45:21,980 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1e193f2[Subject(12058647).principals=[alec, admins(members:admin)],credential.class=java.lang.String@13884241,expirationTime=1118693721929]
                2005-06-13 15:45:21,980 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] End isValid, true
                2005-06-13 15:45:21,986 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
                Principal: alec
                Principal: admins(members:admin)
                , principal=alec
                2005-06-13 15:45:21,991 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1e193f2[Subject(12058647).principals=[alec, admins(members:admin)],credential.class=java.lang.String@13884241,expirationTime=1118693721929]
                2005-06-13 15:45:21,995 TRACE [org.jboss.security.plugins.JaasSecurityManager.asg] getUserRoles, subject: Subject:
                Principal: alec
                Principal: admins(members:admin)

                2005-06-13 15:45:22,004 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'alec' was successful
                2005-06-13 15:45:22,011 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[alec()]
                2005-06-13 15:45:22,011 DEBUG [org.apache.catalina.realm.RealmBase] Username alec does NOT have role admin
                2005-06-13 15:45:22,011 DEBUG [org.apache.catalina.realm.RealmBase] No role found: admin

                • 5. Re: Roles don't make it into Tomcat when using Windows
                  Alec Missine Newbie

                  I've fixed my bug, it stemmed from incorrect rolesQuery, DatabaseServerLoginModule, login-config.xml. The second column MUST have value 'Roles', as in jbossmq realm:

                  SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?

                  Thanks,

                  Alec

                  • 6. Re: Roles don't make it into Tomcat when using Windows
                    Tim McCune Novice

                    Congrats. :) Unfortunately, that doesn't help us.

                    • 7. Re: Roles don't make it into Tomcat when using Windows
                      Walter Newbie

                      what db you use?
                      what it is the data type of the field roles?

                      • 8. Re: Roles don't make it into Tomcat when using Windows
                        Tim McCune Novice

                        We're using Oracle, but it doesn't matter. The problem happens regardless of the login module I'm using. For instance, it happens with the users/roles login module, which is just reading from text files.

                        • 9. Re: Roles don't make it into Tomcat when using Windows
                          Alec Missine Newbie

                          I used DefaultDS, hypersonic. The DDL is below:

                          CREATE MEMORY TABLE ASG_ROLES(ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY,USERID VARCHAR(255),ROLE VARCHAR(255),ROLEGROUP VARCHAR(255))

                          CREATE MEMORY TABLE ASG_USERS(ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY,USERID VARCHAR(255),PASSWORD VARCHAR(255))

                          • 11. Re: Roles don't make it into Tomcat when using Windows
                            Walter Newbie

                            Guys, I had the same problem. My Database was SQL SERVER 2000 and the data type was char(32). The first problem is that data type should be varchar(32), because of the login module compare strings.
                            The second problem is that data value it does not have to contain blanks.

                            • 12. Re: Roles don't make it into Tomcat when using Windows
                              Scott Stark Master

                              None of the org.jboss.security tracing is showing up. Presumably the log is filtering to DEBUG? The loading of the roles is what needs to be debugged.

                              • 13. Re: Roles don't make it into Tomcat when using Windows
                                Alec Missine Newbie

                                Please take a look at the UserAccounts service I posted lately,

                                http://wiki.jboss.org/wiki/Wiki.jsp?page=UserAccounts

                                It provides for managing user accounts via JMX Console, and comes with a sample webapp that uses J2EE security. Works like charm!