0 Replies Latest reply on Sep 27, 2005 7:59 PM by Paul Bemowski

    JBoss/Tomcat BASIC authentication with JAAS fails to respect

    Paul Bemowski Newbie

      All -

      I've been fighting and googling galore, and it seems that this problem may have been posted before, but never solved.

      I'm running standard JBoss 4.0.1 (though I've duplicated the problem on 4.0.2 and 4.0.3sp2). I've enabled BASIC authentication on the jmx-console (and I've also tried on another small sample webapp) as explained in the comments of the various configuration files. Here are the relevant sections:

      From jboss/conf/login-config.xml:

      <application-policy name = "jmx-console">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="usersProperties">jmx-console-users.properties</module-option>
       <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>


      From deploy/jmx-console.war/WEB-INF/jboss-web.xml:
      <jboss-web>
       <!-- Uncomment the security-domain to enable security. You will
       need to edit the htmladaptor login configuration to setup the
       login modules used to authentication users.-->
       <security-domain>java:/jaas/jmx-console</security-domain>
      </jboss-web>


      And finally from deploy/jmx-console.war/WEB-INF/jboss-web.xml:
      <!-- A security constraint that restricts access to the HTML JMX console
       to users with the role JBossAdmin. Edit the roles to what you want and
       uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
       secured access to the HTML JMX console. -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
       role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>JBossAdmin</role-name>
       </auth-constraint>
       </security-constraint>
       <!-- -->
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>JBoss JMX Console</realm-name>
       </login-config>
      
       <security-role>
       <role-name>JBossAdmin</role-name>
       </security-role>

      ===================

      I've also enabled trace logging on the relevant packages:
      <category name="org.jboss.security">
       <priority value="TRACE" class="org.jboss.logging.XLevel"/>
       <appender-ref ref="BEMO"/>
       </category>
      
       <category name="org.apache.catalina">
       <priority value="TRACE" class="org.jboss.logging.XLevel"/>
       <appender-ref ref="BEMO"/>
       </category>
      
       <category name="org.apache.coyote">
       <priority value="TRACE" class="org.jboss.logging.XLevel"/>
       <appender-ref ref="BEMO"/>
       </category>
      

      Ok. Now, I try to access the console, and I am prompted for username/password via the standard HTTP BASIC authentiation system.

      When I enter an invalid password, it fails, and prompts again for the username and password.

      Here is the problem. The authentication system ALLOWS the login, then denies access to the JMX console because in theory the user does not have the appropriate role:
      2005-09-27 19:57:38,429 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
      2005-09-27 19:57:38,429 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'admin' authenticated, loginOk=true
      2005-09-27 19:57:38,430 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
      2005-09-27 19:57:38,430 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] updateCache, subject=Subject:
       Principal: admin
       Principal: Roles(members:JBossAdmin,HttpInvoker)
      
      2005-09-27 19:57:38,431 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5d3ac0[Subject(12333359).principals=[admin, Roles(members:JBossAdmin,HttpInvoker)],credential.class=[C@1440568,expirationTime=1127867258422]
      2005-09-27 19:57:38,431 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] End isValid, true
      2005-09-27 19:57:38,432 TRACE [org.jboss.security.SecurityAssociation] setPrincipal, p=admin, server=true
      2005-09-27 19:57:38,485 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5d3ac0[Subject(12333359).principals=[admin, Roles(members:JBossAdmin,HttpInvoker)],credential.class=[C@1440568,expirationTime=1127867258422]
      2005-09-27 19:57:38,485 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'admin' with type 'BASIC'
      2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.realm.RealmBase] Checking roles GenericPrincipal[admin()]
      2005-09-27 19:57:38,486 DEBUG [org.apache.catalina.realm.RealmBase] Username admin does NOT have role JBossAdmin
      2005-09-27 19:57:38,487 DEBUG [org.apache.catalina.realm.RealmBase] No role found: JBossAdmin
      2005-09-27 19:57:38,487 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
      
      


      Can anyone help me?

      Paul Bemowski