0 Replies Latest reply on Sep 30, 2005 8:45 AM by Michael Small

    org.apache.catalina.authenticator.AuthenicatorBase Failed au

    Michael Small Newbie

      Using JAAS container authentication and authorization, I'm getting very strange results. If I request a protected resource (as defined by security-constraints in my web.xml), I am correctly taken to my login page. After entering valid credentials, I pass a FormAuthenticator authentication but appear to fail in the AuthenticatorBase authentication. Below is the logging from my server.log (I've bolded the section that I believe is causing the problem). Any idea my this authenticate fails (especially since FormAuthenticator succeeds)? Note that I'm using a custom LoginModule. I don't believe, however, that is the problem because it works well accessing my EJBs directly.

      2005-09-30 07:25:14,776 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] defaultLogin, lc=javax.security.auth.login.LoginContext@1132f26, subject=Subject(8169456).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members)))
      2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] updateCache, inputSubject=Subject(8169456).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))), cacheSubject=Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members)))
      2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@971e9d[Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))),credential.class=java.lang.String@31664352,expirationTime=1128083092930]
      2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] End isValid, true
      2005-09-30 07:25:14,777 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: woper_testuser01 is authenticated
      2005-09-30 07:25:14,778 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
       Principal: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]
       Principal: CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])
       Principal: Roles(members:TascForce(members))
      , principal=woper_testuser01
      2005-09-30 07:25:14,779 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@971e9d[Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))),credential.class=java.lang.String@31664352,expirationTime=1128083092930]
      2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: woper_testuser01to: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]
      2005-09-30 07:25:14,779 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] getUserRoles, subject: Subject:
       Principal: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]
       Principal: CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])
       Principal: Roles(members:TascForce(members))
      
      2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[4310000-0000162(TascForce,)]
      2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'woper_testuser01' was successful
      2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/tasconline/app/main.faces'
      2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/tasconline/app/j_security_check
      2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: 206E313AE6C29507AFAF738D53B62DA2
      2005-09-30 07:25:14,780 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null
      2005-09-30 07:25:14,780 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: woper_testuser01
      2005-09-30 07:25:14,785 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 206E313AE6C29507AFAF738D53B62DA2
      2005-09-30 07:25:14,786 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Enter, j_username=null
      2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /tasconline/app/main.faces
      2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[General Secured Resources]' against GET /app/main.faces --> true
      2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[TascForce Secured Resources]' against GET /app/main.faces --> false
      2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Provider Secured Resources]' against GET /app/main.faces --> false
      2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Client Secured Resources]' against GET /app/main.faces --> false
      2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Participant Secured Resources]' against GET /app/main.faces --> false
      2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
      2005-09-30 07:25:14,786 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission /app/main.faces GET)
      2005-09-30 07:25:14,787 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] Denied: (javax.security.jacc.WebUserDataPermission /app/main.faces GET)
      2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
      2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
      2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '206E313AE6C29507AFAF738D53B62DA2'
      2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated '4310000-0000162' with type 'FORM'
      2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
      2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      2005-09-30 07:25:14,787 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] No active subject found, using
      2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] Denied: (javax.security.jacc.WebResourcePermission /app/main.faces GET)
      2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] hasResourcePermission, perm=(javax.security.jacc.WebResourcePermission /app/main.faces GET), allowed=false
      2005-09-30 07:25:14,788 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
      2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: 206E313AE6C29507AFAF738D53B62DA2
      2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null
      2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: null
      2005-09-30 07:25:15,045 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1128083115045 sessioncount 0
      2005-09-30 07:25:15,045 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
      


      My web.xml:

      <?xml version="1.0"?>
      <!--
       * Copyright 2004 The Apache Software Foundation.
       *
       * Licensed under the Apache License, Version 2.0 (the "License");
       * you may not use this file except in compliance with the License.
       * You may obtain a copy of the License at
       *
       * http://www.apache.org/licenses/LICENSE-2.0
       *
       * Unless required by applicable law or agreed to in writing, software
       * distributed under the License is distributed on an "AS IS" BASIS,
       * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
       * See the License for the specific language governing permissions and
       * limitations under the License.
       *
       * UPDATED: Marty Hall changed to use .faces suffix,
       * faces-config.xml filename, servlets 2.4,. and extensions filter.
       * See JSF tutorial at http://www.coreservlets.com/.
      -->
      
      <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
       version="2.4">
      
       <context-param>
       <param-name>javax.faces.CONFIG_FILES</param-name>
       <param-value>
       /WEB-INF/faces-config.xml
       </param-value>
       <description>
       Comma separated list of URIs of (additional) faces config files.
       (e.g. /WEB-INF/my-config.xml)
       See JSF 1.0 PRD2, 10.3.2
       </description>
       </context-param>
      
       <context-param>
       <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
       <param-value>client</param-value>
       <description>
       State saving method: "client" or "server" (= default)
       See JSF Specification 2.5.2
       </description>
       </context-param>
      
       <context-param>
       <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
       <param-value>true</param-value>
       <description>
       This parameter tells MyFaces if javascript code should be allowed in the
       rendered HTML output.
       If javascript is allowed, command_link anchors will have javascript code
       that submits the corresponding form.
       If javascript is not allowed, the state saving info and nested parameters
       will be added as url parameters.
       Default: "true"
       </description>
       </context-param>
      
       <context-param>
       <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
       <param-value>true</param-value>
       <description>
       If true, rendered HTML code will be formatted, so that it is "human readable".
       i.e. additional line separators and whitespace will be written, that do not
       influence the HTML code.
       Default: "true"
       </description>
       </context-param>
      
       <context-param>
       <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
       <param-value>false</param-value>
       </context-param>
      
       <context-param>
       <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
       <param-value>true</param-value>
       <description>
       If true, a javascript function will be rendered that is able to restore the
       former vertical scroll on every request. Convenient feature if you have pages
       with long lists and you do not want the browser page to always jump to the top
       if you trigger a link or button action that stays on the same page.
       Default: "false"
       </description>
       </context-param>
      
       <!-- Listener, that does all the startup work (configuration, init). -->
       <listener>
       <listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
       </listener>
      
       <!-- Faces Servlet
       Marty Hall: changed .jsf back to standard of .faces -->
       <servlet>
       <servlet-name>Faces Servlet</servlet-name>
       <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
       <load-on-startup>1</load-on-startup>
       </servlet>
       <servlet-mapping>
       <servlet-name>Faces Servlet</servlet-name>
       <url-pattern>*.faces</url-pattern>
       </servlet-mapping>
      
       <!-- Extensions Filter
       Marty Hall: pasted this in from myfaces-examples; it is needed for custom components
       that use JavaScript. Note that url-pattern of filter-mapping must match the
       url-pattern of servlet-mapping above. So, if you change from .faces to .jsf,
       change BOTH url-pattern entries. -->
       <filter>
       <filter-name>extensionsFilter</filter-name>
       <filter-class>org.apache.myfaces.component.html.util.ExtensionsFilter</filter-class>
       <init-param>
       <param-name>uploadMaxFileSize</param-name>
       <param-value>100m</param-value>
       <description>Set the size limit for uploaded files.
       Format: 10 - 10 bytes
       10k - 10 KB
       10m - 10 MB
       1g - 1 GB
       </description>
       </init-param>
       <init-param>
       <param-name>uploadThresholdSize</param-name>
       <param-value>100k</param-value>
       <description>Set the threshold size - files
       below this limit are stored in memory, files above
       this limit are stored on disk.
       Format: 10 - 10 bytes
       10k - 10 KB
       10m - 10 MB
       1g - 1 GB
       </description>
       </init-param>
       </filter>
       <filter-mapping>
       <filter-name>extensionsFilter</filter-name>
       <url-pattern>*.faces</url-pattern>
       </filter-mapping>
       <filter-mapping>
       <filter-name>extensionsFilter</filter-name>
       <url-pattern>/faces/*</url-pattern>
       </filter-mapping>
      
       <!-- Security Constraint for resources used by all the different
       possible roles -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>General Secured Resources</web-resource-name>
       <url-pattern>/app/main.faces</url-pattern>
       <url-pattern>/app/main.jsp</url-pattern>
       <url-pattern>/app/common/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>TascForce</role-name>
       <role-name>Provider</role-name>
       <role-name>Client</role-name>
       <role-name>Participant</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <!-- Security Constraint for TascForce resources -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>TascForce Secured Resources</web-resource-name>
       <url-pattern>/app/tascforce/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>TascForce</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <!-- Security Constraint for Provider resources -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Provider Secured Resources</web-resource-name>
       <url-pattern>/app/provider/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>TascForce</role-name>
       <role-name>Provider</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <!-- Security Constraint for Client resources -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Client Secured Resources</web-resource-name>
       <url-pattern>/app/client/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>TascForce</role-name>
       <role-name>Provider</role-name>
       <role-name>Client</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <!-- Security Constraint for Participant resources -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Participant Secured Resources</web-resource-name>
       <url-pattern>/app/participant/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>TascForce</role-name>
       <role-name>Provider</role-name>
       <role-name>Client</role-name>
       <role-name>Participant</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <!-- Login Configuration - lists the type of authentication method
       and the pages used for login -->
       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>TASCSystem - JAAS</realm-name>
       <form-login-config>
       <form-login-page>/security/login.faces</form-login-page>
       <form-error-page>/security/login-redirect.faces</form-error-page>
       </form-login-config>
       </login-config>
      
       <!-- Security roles -->
       <!-- TascForce -->
       <security-role>
       <description>TASC Employee</description>
       <role-name>TascForce</role-name>
       </security-role>
       <!-- Provider -->
       <security-role>
       <description>TASC Provider</description>
       <role-name>Provider</role-name>
       </security-role>
       <!-- Client -->
       <security-role>
       <description>TASC Client</description>
       <role-name>Client</role-name>
       </security-role>
       <!-- Participant -->
       <security-role>
       <description>TASC Participant</description>
       <role-name>Participant</role-name>
       </security-role>
      
       <!-- error page definitions -->
       <!-- system errors -->
       <error-page>
       <exception-type>java.lang.Throwable</exception-type>
       <location>/errors/system-error.faces</location>
       </error-page>
      
       <!-- Welcome files -->
       <welcome-file-list>
       <welcome-file>index.jsp</welcome-file>
       </welcome-file-list>
      
      </web-app>
      


      My jboss-web.xml:

      <jboss-web>
       <security-domain>java:/jaas/tasconline</security-domain>
      </jboss-web>
      


      My context.xml:

      <Context cookies="true" crossContext="true">
       <Valve className="org.jboss.web.tomcat.security.FormAuthValve"
       includePassword="false"/>
      </Context>