5 Replies Latest reply on Oct 25, 2005 11:48 AM by Jens Elkner

    Simple users/roles login to EJBs not passing username/passwo

    Erik Sliman Apprentice

      I'm trying to get simple login to remote EJBs to work using the Duke example, putting the properties files in the EJB module.

      The problem is that even though I set the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS when obtaining the home inteface, a trace of org.jboss.security indicates that it sees the user id and password as null.

      Here's the trace:

      2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(nmsBusinessServices), size=8
      2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(nmsBusinessServices), authInfo=AppConfigurationEntry[]:
      LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
      ControlFlag: LoginModuleControlFlag: required
      2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
      2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
      2005-10-24 10:45:10,387 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=jar:file:/home/esliman/programs/jboss/jboss-4.0.2_newtest/server/default/tmp/deploy/tmp3568nmsBusinessServices.ear-contents/nmsProviderServiceEJBs.jar!/users.properties, defaults=null
      2005-10-24 10:45:10,388 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[duke, java]
      2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
      2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=jar:file:/home/esliman/programs/jboss/jboss-4.0.2_newtest/server/default/tmp/deploy/tmp3568nmsBusinessServices.ear-contents/nmsProviderServiceEJBs.jar!/roles.properties, defaults=null
      2005-10-24 10:45:10,388 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[duke, java, java.CallerPrincipal, duke.CallerPrincipal]
      2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
      2005-10-24 10:45:10,388 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Authenticating as unauthenticatedIdentity=null
      2005-10-24 10:45:10,389 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=null
      2005-10-24 10:45:10,389 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
      2005-10-24 10:45:10,389 TRACE [org.jboss.security.plugins.JaasSecurityManager.nmsBusinessServices] Login failure
      javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:166)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:136)

      You can see from the trace that it successfully loads the properties files. The "Authenticating as unauthenticatedIdentity=null" output also indicates that the username and password are null, as the source code shows that this is what triggers this output:

       if( username == null && password == null )
       identity = unauthenticatedIdentity;
       super.log.trace("Authenticating as unauthenticatedIdentity="+identity);

        • 1. Re: Simple users/roles login to EJBs not passing username/pa
          Erik Sliman Apprentice

          I got a little further when I found this wiki page:


          The question is, what exactly does SECURITY_PROTOCOL map to? No matter what I try, I get the following:

          java.lang.SecurityException: Unable to locate a login configuration
           at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
           at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
           at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
           at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
           at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
           at java.lang.Class.newInstance0(Class.java:350)
           at java.lang.Class.newInstance(Class.java:303)
           at javax.security.auth.login.Configuration$3.run(Configuration.java:216)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210)
           at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
           at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
           at org.jboss.security.jndi.LoginInitialContextFactory.getInitialContext(LoginInitialContextFactory.java:69)
           at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
           at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
           at javax.naming.InitialContext.init(InitialContext.java:223)
           at javax.naming.InitialContext.<init>(InitialContext.java:197)
           at com.domain.services.JNDIClientUtil.lookupHome(JNDIClientUtil.java:22)

          • 2. Re: Simple users/roles login to EJBs not passing username/pa
            Tim Newbie

            Sounds like you need to set up the jaas.conf / auth.conf files. I have not used this example though so can't be of much help.

            you should have one in client/auth.conf

            I had this problem when setting up a remote client I found this helpfull:

            Good luck


            • 3. Re: Simple users/roles login to EJBs not passing username/pa
              Erik Sliman Apprentice

              Thanks a million. That pushed me closer. I created a jaas.conf containing:

              JaasJNDI {
               com.sun.security.auth.module.JndiLoginModule required;

              and confirmed in debug mode that it loads the configuration.

              It gets past the point where it threw an exception trying to extablish a context in org.jboss.security.jndi.LoginInitialContextFactory.java because it couldn't find a configuration,

              LoginContext lc = new LoginContext(protocol, handler);

              and now fails on the next line where it tries to login:


              with this exception:

              javax.security.auth.login.LoginException: Error: Unable to locate JNDI user provider

              Although I have trace enabled in JBoss for org.jboss.security, nothing is output when this happens, so I'm not sure if it actually tries to talk to the server at this point.

              The JNDI URL for the home interface is correct, as it succeeds to invoke the session beans that don't require authorized users of roles when the JNDI SECURITY_ parameters are not supplied or do not prevent creation of the home interface.

              • 4. Re: Simple users/roles login to EJBs not passing username/pa
                Erik Sliman Apprentice

                WOW! I got it. Thanks to the post of tineq I noted that he was using

                p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");

                whereas I was using org.jboss.security.jndi.LoginInitialContextFactory per the recommendation of


                What do you know, I just plugged and found a



                With this class, you don't need to use Context.SECURITY_PROTOCOL or setup jaas.conf on the client. It's as easy as it looks.

                Both classes are in the 4.0.2 source. I'm not sure at this poitn whe you'd use the class without the Jndi prefix, but it's looking more like a base class rather than a class you'd want to use directly. Perhaps it's needed for some things like LDAP.

                Anyway, thanks for your help tim.cockle; and your inadvertant help tineq! Hopefully someone else can benefit from the this thread.

                • 5. Re: Simple users/roles login to EJBs not passing username/pa
                  Jens Elkner Apprentice

                  I use usually a simpler approach:

                  public static InitialContext getInitialContext(...)
                   throws NamingException
                   String trailer = ("http".equals(proto) || "https".equals(proto))
                   ? "/invoker/JNDIFactory"
                   : null;
                   URI uri = null;
                   try {
                   uri = new URI(proto, null, host, port, trailer, null, null);
                   } catch (Exception e) {
                   if (log.isDebugEnabled()) {
                   log.debug("getPreferredContextValues", e);
                   if (uri == null) {
                   throw new IllegalArgumentException("invalid values");
                   String url = uri.getScheme() + "://" + uri.getHost() + ":" + uri.getPort();
                   if (uri.getPath() != null && uri.getPath().length() > 0) {
                   url += uri.getPath();
                   String factory = "org.jnp.interfaces.NamingContextFactory";
                   if ("http".equals(uri.getScheme()) || "https".equals(uri.getScheme())) {
                   factory = "org.jboss.naming.HttpNamingContextFactory";
                   Properties props = new Properties();
                   // java.naming.factory.initial
                   props.put(Context.INITIAL_CONTEXT_FACTORY, factory);
                   // java.naming.factory.url.pkgs
                   // java.naming.provider.url
                   props.put(Context.PROVIDER_URL, url);
                   // jnp.disableDiscovery
                   !Misc.differentStrings(System.getProperty(JNP_DISCOVERY), "true"));
                   return new InitialContext(props);
                   // login
                   SecurityAssociation.setPrincipal(new SimplePrincipal(name));
                   InitialContext ctx = getInitialContext(...);
                   // logout