10 Replies Latest reply on Aug 24, 2005 3:33 PM by ahardy66

    JBoss not setting up application-policy entries

    ahardy66 Novice

      I recently upgraded from 3.x to 4.0.2, and migrated my main app. One of the changes from 3.x is that the jaas.conf file was dropped and replaced with the login-config.xml.

      So I set up my new login-config.xml as below, but JBoss is not setting up the application-policy I need, resulting in the whole login process falling over when I test the login. See below for the logging output showing which JAAS policies it is loading.

      As you see below, I only have my realm in login-context (GargantusRealm) and the obligatory HsqlDbRealm. I have grep'd/searched for the JmsXARealm policy config in the JBoss directories, but found nothing. Where iis it coming from?

      If I put badly-formed XML in my login-config.xml, then JBoss throws an exception, so I can see that it is reading the xml for my realm, it is just not loading it into the java:/jaas JNDI.

      When I run the example app which uses a different conf directory, JBoss loads example1 and example2 without problems, so I am at a loss.

      This is related to another thread, but I needed to rename the title to make it relevant. Here's the other thread: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=66517
      where you can see the stack trace from the exception if you think it's relevant.

      And here's the login-config:

      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
      
      <policy>
       <!-- GargantusRealm -->
       <application-policy name="GargantusRealm">
       <authentication>
       <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
       flag = "required">
       <module-option name = "principal">sa</module-option>
       <module-option name = "userName">sa</module-option>
       <module-option name = "password"></module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- Security domains for testing new jca framework -->
       <application-policy name = "HsqlDbRealm">
       <authentication>
       <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
       flag = "required">
       <module-option name = "principal">sa</module-option>
       <module-option name = "userName">sa</module-option>
       <module-option name = "password"></module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
      </policy>
      


      and here's the logging output from JBoss where I can see it's not loading the right application policies:
      +- jaas (class: javax.naming.Context)
       | +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
       | +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
       | +- HsqlDbRealm (class: org.jboss.security.plugins.SecurityDomainContext)
      


        • 1. please see other thread......
          ahardy66 Novice

          New thread: JBoss not setting up application-policy entries


          • 2. Re: JBoss not setting up application-policy entries
            ahardy66 Novice

            In case it's not clear, please ignore the bottom 2 posts here - the question is still VERY valid!

            thanks
            Adam

            • 3. Re: JBoss not setting up application-policy entries
              Scott Stark Master

              trace level logging of the security category is needed and should be used to debug all security issues.

               <category name="org.jboss.security">
               <priority value="TRACE" class="org.jboss.logging.XLevel"/>
               </category>
              



              • 4. Re: JBoss not setting up application-policy entries
                ahardy66 Novice

                Hi Scott,
                thanks for the info.

                However even with trace level logging configured, there is no information being logged that might reveal why my Realm is not being set up.

                I dislike reading posts myself that have huge amounts of logging output, but I can't think of what else to do.

                I reduced a bit of the output by filtering out o.j.security.jacc.JBossPolicyConfiguration and o.j.security.plugins.JaasSecurityManager.HsqlDbRealm which produced over 100 lines on their own.

                =========================================================================
                
                 JBoss Bootstrap Environment
                
                 JBOSS_HOME: /home/java/jboss-4.0.2
                
                 JAVA: /home/java/jdk1.5.0_03/bin/java
                
                 JAVA_OPTS: -server -Xms128m -Xmx128m -Dprogram.name=run.sh
                
                 CLASSPATH: /home/java/jboss-4.0.2/bin/run.jar:/home/java/jdk1.5.0_03/lib/tools.jar
                
                =========================================================================
                
                17:05:45,459 INFO [Server] Starting JBoss (MX MicroKernel)...
                17:05:45,460 INFO [Server] Release ID: JBoss [Zion] 4.0.2 (build: CVSTag=JBoss_4_0_2 date=200505022023)
                17:05:45,461 INFO [Server] Home Dir: /home/java/jboss-4.0.2
                17:05:45,589 INFO [Server] Home URL: file:/home/java/jboss-4.0.2/
                17:05:45,590 INFO [Server] Library URL: file:/home/java/jboss-4.0.2/lib/
                17:05:45,591 INFO [Server] Patch URL: null
                17:05:45,724 INFO [Server] Server Name: default
                17:05:45,725 INFO [Server] Server Home Dir: /home/java/jboss-4.0.2/server/default
                17:05:45,725 INFO [Server] Server Home URL: file:/home/java/jboss-4.0.2/server/default/
                17:05:45,857 INFO [Server] Server Data Dir: /home/java/jboss-4.0.2/server/default/data
                17:05:45,857 INFO [Server] Server Temp Dir: /home/java/jboss-4.0.2/server/default/tmp
                17:05:45,858 INFO [Server] Server Config URL: file:/home/java/jboss-4.0.2/server/default/conf/
                17:05:45,858 INFO [Server] Server Library URL: file:/home/java/jboss-4.0.2/server/default/lib/
                17:05:45,991 INFO [Server] Root Deployment Filename: jboss-service.xml
                17:05:46,125 INFO [Server] Starting General Purpose Architecture (GPA)...
                17:05:47,368 INFO [ServerInfo] Java version: 1.5.0_03,Sun Microsystems Inc.
                17:05:47,368 INFO [ServerInfo] Java VM: Java HotSpot(TM) Server VM 1.5.0_03-b07,Sun Microsystems Inc.
                17:05:47,369 INFO [ServerInfo] OS-System: Linux 2.6.12.3,i386
                17:05:48,964 INFO [Server] Core system initialized
                17:05:55,049 INFO [Log4jService$URLWatchTimerTask] Configuring from URL: resource:log4j.xml
                INFO [org.jboss.web.WebService] Using RMI server codebase: http://gondor:8083/
                DEBUG [org.jboss.security.plugins.SecurityConfig] Creating jboss.security:service=SecurityConfig
                DEBUG [org.jboss.security.plugins.SecurityConfig] Created jboss.security:service=SecurityConfig
                DEBUG [org.jboss.security.auth.login.XMLLoginConfig] Creating jboss.security:service=XMLLoginConfig
                DEBUG [org.jboss.security.auth.login.XMLLoginConfig] Created jboss.security:service=XMLLoginConfig
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Creating jboss.security:service=JaasSecurityManager
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created jboss.security:service=JaasSecurityManager
                DEBUG [org.jboss.security.plugins.SecurityConfig] Starting jboss.security:service=SecurityConfig
                DEBUG [org.jboss.security.plugins.SecurityConfig] Installed JAAS Configuration service=jboss.security:service=XMLLoginConfig, config=org.jboss.security.auth.login.XMLLoginConfigImpl@165b7e
                DEBUG [org.jboss.security.plugins.SecurityConfig] Started jboss.security:service=SecurityConfig
                DEBUG [org.jboss.security.auth.login.XMLLoginConfig] Starting jboss.security:service=XMLLoginConfig
                TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin loadConfig, loginConfigURL=file:/home/java/jboss-4.0.2/server/default/conf/login-config.xml
                DEBUG [org.jboss.security.auth.login.XMLLoginConfigImpl] Try loading config as XML, url=file:/home/java/jboss-4.0.2/server/default/conf/login-config.xml
                TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End loadConfig, loginConfigURL=file:/home/java/jboss-4.0.2/server/default/conf/login-config.xml
                DEBUG [org.jboss.security.auth.login.XMLLoginConfig] Started jboss.security:service=XMLLoginConfig
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Starting jboss.security:service=JaasSecurityManager
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] securityMgrCtxPath=java:/jaas
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] cachePolicyCtxPath=java:/timedCacheFactory
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] SecurityProxyFactory=org.jboss.security.SubjectSecurityProxyFactory@73305c
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Started jboss.security:service=JaasSecurityManager
                INFO [org.jboss.web.tomcat.tc5.StandardService] Starting service jboss.web
                TRACE [org.jboss.security.jacc.DelegatingPolicy] Loaded JACC permissions: true
                INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, ctxPath=/invoker, warUrl=file:/home/java/jboss-4.0.2/server/default/deploy/http-invoker.sar/invoker.war/
                INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, ctxPath=/ws4ee, warUrl=file:/home/java/jboss-4.0.2/server/default/tmp/deploy/tmp28960jboss-ws4ee.war/INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, ctxPath=/, warUrl=file:/home/java/jboss-4.0.2/server/default/deploy/jbossweb-tomcat55.sar/ROOT.war/
                INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, ctxPath=/jbossmq-httpil, warUrl=file:/home/java/jboss-4.0.2/server/default/deploy/jms/jbossmq-httpil.sar/jbossmq-httpil.war/
                INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, ctxPath=/web-console, warUrl=file:/home/java/jboss-4.0.2/server/default/deploy/management/console-mgr.sar/web-console.war/
                TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@170119f
                DEBUG [org.jboss.security.plugins.JaasSecurityManager.JmsXARealm] CachePolicy set to: org.jboss.util.TimedCachePolicy@1b9da92
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@1b9da92
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added JmsXARealm, org.jboss.security.plugins.SecurityDomainContext@bcc8f4 to map
                TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@17a7adf
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@18fa85
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added HsqlDbRealm, org.jboss.security.plugins.SecurityDomainContext@1e758ca to map
                TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(HsqlDbRealm), size=2
                TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(HsqlDbRealm), authInfo=AppConfigurationEntry[]:
                [0]
                LoginModule Class: org.jboss.resource.security.ConfiguredIdentityLoginModule
                ControlFlag: LoginModuleControlFlag: required
                Options:name=managedConnectionFactoryName, value=jboss.jca:service=LocalTxCM,name=DefaultDS
                name=password, value=
                name=userName, value=sa
                name=principal, value=sa
                
                TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@19d96b1
                DEBUG [org.jboss.security.plugins.JaasSecurityManager.jbossmq] CachePolicy set to: org.jboss.util.TimedCachePolicy@1104da7
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@1104da7
                DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added jbossmq, org.jboss.security.plugins.SecurityDomainContext@15a3a92 to map
                INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, ctxPath=/, warUrl=file:/home/java/jboss-4.0.2/server/default/tmp/deploy/tmp29006garg-web.war/
                INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, ctxPath=/jmx-console, warUrl=file:/home/java/jboss-4.0.2/server/default/deploy/jmx-console.war/
                INFO [org.jboss.deployment.EARDeployer] Init J2EE application: file:/home/java/jboss-4.0.2/server/default/deploy/garg-ear-1.0-SNAPSHOT.ear
                INFO [org.jboss.deployment.EARDeployer] Started J2EE application: file:/home/java/jboss-4.0.2/server/default/deploy/garg-ear-1.0-SNAPSHOT.ear
                INFO [org.jboss.system.server.Server] JBoss (MX MicroKernel) [4.0.2 (build: CVSTag=JBoss_4_0_2 date=200505022023)] Started in 55s:452ms
                


                • 5. Re: JBoss not setting up application-policy entries
                  Scott Stark Master

                  Then create a bug report with the full login-config.xml in jira:
                  http://jira.jboss.com/jira/browse/JBAS

                  • 6. Re: JBoss not setting up application-policy entries
                    Pavnit Bhatia Newbie

                    Guys,

                    Is there a new patch out there or has this been resolved. I cannot move forward without this fix as I am unable to login at all.


                    Please advise!

                    Thanks
                    G

                    • 7. Re: JBoss not setting up application-policy entries
                      ahardy66 Novice

                      I doubt it's been resolved at this point in time, since I haven't even got around to submitting a bug report for it yet :O

                      So you've got exactly this problem then? An entry in the login-config.xml that doesn't show up in the JNDI jaas java namespace?

                      I will log it tomorrow, but I'll see if I can compile JBoss from source, wtih a few extra loggging statements in the appropriate implementation class.

                      • 8. Re: JBoss not setting up application-policy entries
                        Pavnit Bhatia Newbie

                        I am not sure where to look at in jmx-console for that entry but I am getting the same error message as yours. Look at the thread below:

                        http://www.jboss.com/index.html?module=bb&op=viewtopic&t=67479

                        But I checked the source code for org.jboss.security.plugins.JaasSecurityManagerService.java in jbosssx.jar library of jboss-4.0.2\server\default\lib.

                        It seems like it is failing at following line with NullPointerException:
                        Constructor ctor = securityMgrClass.getConstructor(parameterTypes);

                        This is under method newSecurityDomainCtx.

                        The question is WHY? Maybe it is unable to instantiate org.jboss.security.plugins.JaasSecurityManager.

                        The same setting works if I do not use j_security_check and process the login using standard method of loginContext (as explained in the above mentioned thread)

                        Galoch

                        • 9. Re: JBoss not setting up application-policy entries
                          ahardy66 Novice

                          Easy to find on jmx-console:

                          log in to http://localhost:8080/jmx-console/

                          click on link to service=JNDIView

                          click on button 'Invoke' to MBean operation String list()

                          look in the java: Namespace section, under the jaas branch, on my server the section looks like this:

                           +- XAConnectionFactory (class: org.jboss.mq.SpyXAConnectionFactory)
                           +- DefaultDS (class: javax.sql.DataSource)
                           +- SecurityProxyFactory (class: org.jboss.security.SubjectSecurityProxyFactory)
                           +- DefaultJMSProvider (class: org.jboss.jms.jndi.JNDIProviderAdapter)
                           +- comp (class: javax.naming.Context)
                           +- ConnectionFactory (class: org.jboss.mq.SpyConnectionFactory)
                           +- jdbc (class: org.jnp.interfaces.NamingContext)
                           | +- SurveyDS (class: javax.sql.DataSource)
                           | +- RealmDS (class: javax.sql.DataSource)
                           | +- LinklibDS (class: javax.sql.DataSource)
                           | +- UserDS (class: javax.sql.DataSource)
                           +- JmsXA (class: org.jboss.resource.adapter.jms.JmsConnectionFactoryImpl)
                           +- jaas (class: javax.naming.Context)
                           | +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
                           | +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
                           | +- HsqlDbRealm (class: org.jboss.security.plugins.SecurityDomainContext)
                           +- timedCacheFactory (class: javax.naming.Context)
                          Failed to lookup: timedCacheFactory, errmsg=org.jboss.util.TimedCachePolicy
                           +- TransactionPropagationContextExporter
                           +- StdJMSPool (class: org.jboss.jms.asf.StdServerSessionPoolFactory)
                           +- Mail (class: javax.mail.Session)
                           +- TransactionPropagationContextImporter
                           +- TransactionManager (class: org.jboss.tm.TxManager)
                          


                          I looked at that code as well, it's obviously within that, the line of logging output points in that direction too:

                          TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin loadConfig, loginConfigURL=file:/home
                          /java/jboss-4.0.2/server/default/conf/login-config.xml
                          


                          but I also did a few experiments trying to get setup other application-policies, using JBoss examples and I couldn't get them to work in the 'default' server. The only application-policies that JBoss will read for me are from the example app which sets up a complete new directory in the server dir. Confusing.

                          Basically though my guess is that a big nasty exception is getting swallowed up without any log output, and that's where the answer will be.

                          I'm pretty snowed under this weekend but I'll try to get onto it ASAP. Obviously if you do first, make sure you report back!

                          Good luck (and for me!)