2 Replies Latest reply on Oct 13, 2005 11:35 AM by Laurent Duperval

    No access when roles defined in database

    Laurent Duperval Newbie

      Hi,

      I'm having a problem with authorization using Struts 1.1/Jboss 3.2.5.

      I have an initial class called MainComponenetMainMenuAction. In the execute() method of that class, I have this:

      if (true) {
      throw new Exception("Expection reached");
      }

      When I try to access the action, I don't reach the exception and I don't understand why.

      I am using FORM validation using a database. All my components use auth constraint "*". I have no roles (other than "*") defined in my application. So my web.xml looks like this:

      <security-constraint>
       <web-resource-collection>
      <web-resource-name>secure-web-component-names</web-resource-name>
      <url-pattern>/MainComponentMainPage.jsp</url-pattern>
      <url-pattern>/MainComponentAdminPage.jsp</url-pattern>
      <url-pattern>/MainComponentMainMenu.do</url-pattern>
      <url-pattern>/MainComponentAdminMenu.do</url-pattern>
      
       <http-method>HEAD</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>*</role-name>
       </auth-constraint>
       </security-constraint>
      


      When I trace the code, I see this:

      2005-10-12 15:08:45,888 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
      
      2005-10-12 15:08:45,903 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'admin' authenticated, loginOk=true
      
      2005-10-12 15:08:45,903 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
      
      2005-10-12 15:08:45,935 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role it
      
      2005-10-12 15:08:45,935 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role user
      
      2005-10-12 15:08:45,935 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role admin
      
      2005-10-12 15:08:45,950 TRACE [org.jboss.security.plugins.JaasSecurityManager.my_security_realm] updateCache, subject=Subject:
       Principal: admin
       Principal: Roles(members:user,admin,it)
      
      
      2005-10-12 15:08:45,950 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: admin is authenticated
      
      2005-10-12 15:08:45,950 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: adminto: admin
      
      2005-10-12 15:08:45,950 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=admin
      
      2005-10-12 15:08:45,950 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'admin' was successful
      
      2005-10-12 15:08:45,950 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/MainComponentMainMenu.do'
      
      2005-10-12 15:08:45,950 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/j_security_check
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /MainComponentMainMenu.do
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Standard-Struts-Administrative-Actions]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[AlturaForceContainerLogin]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure-Main-Menu]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> true
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /MainComponentMainMenu.do --> false
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Checking for reauthenticate in session StandardSession[22488C5E5187589AEC862116D4DD0F0F]
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Reauthenticating username 'admin'
      
      2005-10-12 15:08:45,966 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=admin
      
      2005-10-12 15:08:45,966 TRACE [org.jboss.security.plugins.JaasSecurityManager.my_security_realm] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1a3ae73
      
      2005-10-12 15:08:45,966 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: admin is authenticated
      
      2005-10-12 15:08:45,966 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: adminto: admin
      
      2005-10-12 15:08:45,966 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=admin
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Reauthentication failed, proceed normally
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '22488C5E5187589AEC862116D4DD0F0F'
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'admin' with type 'FORM'
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
      
      2005-10-12 15:08:45,966 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] action, runAs: null
      
      2005-10-12 15:08:45,966 DEBUG [org.apache.catalina.core.StandardWrapper] Returning non-STM instance
      


      My login-config.xml says:

      <application-policy name = "my_security_realm">
       <authentication>
      
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "dsJndiName">java:/DefaultDS</module-option>
       <module-option name = "principalsQuery">SELECT PASSWORD FROM user WHERE USERID=?</module-option>
       <module-option name = "rolesQuery">
       SELECT role_Name,'Roles' FROM Role WHERE USERID=?
       </module-option>
       </login-module>
       <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
       </authentication>
       </application-policy>
      




        • 1. Re: No access when roles defined in database
          Laurent Duperval Newbie

          I've been doing more debugging. I added tracing for struts actions and I see this:

          2005-10-13 11:09:10,466 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints

          2005-10-13 11:09:10,466 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] action, runAs: null

          2005-10-13 11:09:10,466 DEBUG [org.apache.catalina.core.StandardWrapper] Returning non-STM instance

          2005-10-13 11:09:10,466 DEBUG [org.apache.struts.action.RequestProcessor] Processing a 'GET' for path '/MainComponentMainMenu'

          2005-10-13 11:09:10,466 DEBUG [org.apache.struts.action.RequestProcessor] Looking for Action instance for class com.fleetmind.tmeui.application.presentation.MainComponentMainMenu

          2005-10-13 11:09:10,466 DEBUG [org.apache.struts.action.RequestProcessor] Creating new Action instance

          2005-10-13 11:09:10,481 INFO [org.apache.struts.util.PropertyMessageResources] Initializing, config='org.apache.struts.actions.LocalStrings', returnNull=true

          2005-10-13 11:09:10,481 DEBUG [org.apache.struts.action.RequestProcessor] processForwardConfig(ForwardConfig[name=success,path=/MainComponentMainPage.jsp,redirect=false,contextRelative=false])

          Notice how a call is made to create a new Action instance, but the new instance is actually never started. I don't understand why it does that.

          L

          • 2. Re: No access when roles defined in database
            Laurent Duperval Newbie

            And, I found it. It's a class loader issue. Another ear was using older versions of the classes mentioned above and they were being found by JBoss before the ones I had modified.

            L