2 Replies Latest reply on Aug 22, 2005 10:11 AM by Aarati Khandekar

    JBOSS basic auth login popped even after using only Custom L

    Aarati Khandekar Newbie

      Hello,
      I have implemented a Custom loginModule that sets the Subject with Principal and roles. In config file, for the security domain used by the application I have set only this Login Module and it's set to REQUIRED. However, after returning from my Login module I do not get direct access to protected resourse, am still prompted for Login.
      Am I missing something ?

      Thanks ,



        • 1. Re: JBOSS basic auth login popped even after using only Cust
          Aarati Khandekar Newbie

          Since the AuthenticatorBase was invoking the BASIC logging, I tried setting the request.userPrincipal in my valve. After doing this I now do not get the login prompt, however it fails with following exception:

          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /jmx-console/
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /index.jsp --> true
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.BasicAuthenticator] Already authenticated 'ORCLADMIN'
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
          2005-08-22 19:14:57,688 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles ORCLADMIN
          2005-08-22 19:14:57,688 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or error occurred in the container during the request processing
          java.lang.NullPointerException
          at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.hasRole(JBossSecurityMgrRealm.java:286)
          at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:763)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:464)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
          at my.sso.MyValve.invoke(MyValve.java:99)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
          at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:307)
          at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:385)
          at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:748)
          at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:678)
          at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:871)
          at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)


          Kindly guide what am i doing wrong/missing?

          • 2. Re: JBOSS basic auth login popped even after using only Cust
            Aarati Khandekar Newbie

            my loginmodule code is:

            /*
            * Test OSSO LoginModule
            */
            package my.sso;

            import java.security.Principal;
            import java.util.Map;
            import java.security.Principal;
            import java.security.acl.Group;


            import javax.security.auth.Subject;
            import javax.security.auth.callback.Callback;
            import javax.security.auth.callback.CallbackHandler;
            import javax.security.auth.callback.NameCallback;
            import javax.security.auth.callback.UnsupportedCallbackException;
            import javax.security.auth.login.FailedLoginException;
            import javax.security.auth.login.LoginException;

            import org.jboss.security.SimpleGroup;
            import org.jboss.security.SimplePrincipal;
            import org.jboss.security.Util;
            import org.jboss.security.auth.spi.AbstractServerLoginModule;



            /** An implementation of AbstractServerLoginModule that imposes
            * an identity == HeaderVar REMOTE_USER on
            * the login process.

            */
            public class OSSOLoginModule extends AbstractServerLoginModule
            {
            /** The login identity */
            private Principal identity;

            public OSSOLoginModule()
            {
            System.out.println("Inside OSSOLoginModule Constructor ");
            }
            public void initialize(Subject subject, CallbackHandler callbackHandler,
            Map sharedState, Map options)
            {
            super.initialize(subject, callbackHandler, sharedState, options);
            System.out.println("Inside OSSOLoginModule Initialize ");
            }

            /* Retrieve the Header value and set it as identity.
            */
            public boolean login() throws LoginException
            {

            System.out.println("Inside OSSOLoginModule Login ");
            super.loginOk = false;
            String username = getUsernameFromCallback();
            if( username == null )
            {
            System.out.println("No username retrieved");
            }

            if( identity == null )
            {
            try
            {
            identity = createIdentity(username);
            System.out.println("Identity created in login");
            }
            catch(Exception e)
            {
            System.out.println("Failed to create principal");
            throw new LoginException("Failed to create principal: "+ e.getMessage());
            }


            }

            if( getUseFirstPass() == true )
            { // Add the username and password to the shared state map
            sharedState.put("javax.security.auth.login.name", username);

            }
            super.loginOk = true;
            System.out.println("User '" + identity + "' authenticated, loginOk="+loginOk);
            return true;
            }

            /* Set dummy roles.Called during commit */
            protected Principal getIdentity()
            {
            System.out.println("Inside getIdentity, returned is" + identity);
            return identity;
            }

            protected String getUsername()
            {
            String username = null;
            if( getIdentity() != null )
            username = getIdentity().getName();
            System.out.println("User in getUsername is '" + username);
            return username;
            }

            /** Called by login() to acquire the username
            authentication. This method does no validation of either.
            @return String, username
            @exception LoginException thrown if CallbackHandler is not set or fails.
            */
            protected String getUsernameFromCallback() throws LoginException
            {
            String username = null;
            // Get username
            if( callbackHandler == null )
            {
            throw new LoginException("Error: no CallbackHandler available " +
            "to collect authentication information");
            }
            NameCallback nc = new NameCallback("User name:");
            Callback[] callbacks = {nc};

            try
            {
            callbackHandler.handle(callbacks);
            username = nc.getName();
            System.out.println("Username set from callback is " + username);

            }
            catch(java.io.IOException ioe)
            {
            throw new LoginException(ioe.toString());
            }
            catch(UnsupportedCallbackException uce)
            {
            throw new LoginException("CallbackHandler does not support: " + uce.getCallback());
            }
            return username;
            }
            /* Set dummy roles.Called during commit */

            protected Group[] getRoleSets()
            {
            SimpleGroup roles = new SimpleGroup("Roles");
            Group[] roleSets = {roles};
            roles.addMember(new SimplePrincipal("JBossAdmin"));
            roles.addMember(new SimplePrincipal("HttpInvoker"));
            roles.addMember(new SimplePrincipal("Role2"));
            System.out.println("Inside getRoleSets");
            return roleSets;
            }

            }


            And my Valve code is:

            package my.sso;

            import java.io.IOException;
            import java.util.Enumeration;
            import java.util.Set;

            import javax.servlet.ServletException;
            import javax.servlet.http.HttpSession;
            import javax.servlet.http.HttpServletRequest;
            import javax.security.auth.login.LoginContext;
            import javax.security.auth.login.LoginException;
            import javax.security.auth.Subject;
            import java.security.Principal;
            import org.jboss.security.SimplePrincipal;
            import java.security.acl.Group;

            import org.apache.catalina.connector.Request;
            import org.apache.catalina.connector.Response;


            import org.apache.catalina.valves.ValveBase;


            public class MyValve
            extends ValveBase
            {

            private boolean isPresent;


            public void invoke(Request request, Response response)
            throws IOException, ServletException
            {

            boolean flag;

            String username1 = request.getRemoteUser();
            //Using getAttribute
            String remoteAttr = (String)request.getAttribute("REMOTE_USER");

            System.out.println("Enter, REMOTE_USER="+ username1);
            System.out.println("REMOTE_USER as attribute is"+ remoteAttr);

            System.out.println("jmx-consoletest");
            try {
            OSSOUsernameHandler handler = new OSSOUsernameHandler(remoteAttr);
            if (handler == null)
            {
            System.out.println("handler is null");
            }
            System.out.println("handler is not null");
            LoginContext lc = new LoginContext("jmx-consoletest", handler);
            if (lc == null)
            {
            System.out.println("lc is null");
            }
            System.out.println("lc is not null");
            lc.login();
            Subject subject = lc.getSubject();
            if (subject == null)
            {
            System.out.println("subject is null");
            }
            System.out.println("subject is not null");
            Set groups = subject.getPrincipals(Group.class);

            Group roles = (Group) groups.iterator().next();
            flag = roles.isMember(new SimplePrincipal("JBossAdmin"));
            System.out.println("flag is" + flag);
            flag = roles.isMember(new SimplePrincipal("JBossAdmin1"));
            System.out.println("flag 1s" + flag);
            request.setUserPrincipal(new SimplePrincipal(remoteAttr));
            String name = request.getUserPrincipal().getName();
            System.out.println("name is" + name);
            } catch(LoginException e) {
            ;
            }

            getNext().invoke(request, response);

            }

            }


            I have spent couple of days on this, your help is highly appreciated.