2 Replies Latest reply on Oct 9, 2009 3:51 AM by Hans Wolffenbuttel

    CertRolesLoginModule cannot find the good SecurityDomain

    Matt Boujonnier Newbie

      Within a "client" session bean which should access a "server" secured session bean by certificate, while creating the LoginContext, CertRolesLoginModule.initialize cannot get the good JNDI securityDomain path (which works using a fat client and a var -Djava.security.auth.login.config=C:\jboss\server\default\conf\jaas.config)

      default java:/jass/other is taken instead of java/jaas/secureDomain (defined in login-config.xml) and bind to the securityDomain defined in jboss-services.xml

       LoginContext lc = null;
       UsernamePasswordHandler handler = new UsernamePasswordHandler("test", "test".toCharArray());
      
       //not better with a file path
       System.setProperty("java.security.auth.login.config", "http://localhost:8080/jaas.config");
      
       try{
       lc = new LoginContext(CONTEXT, handler);
       lc.login();
       }
       catch(javax.security.auth.login.LoginException ex)
       {
       ex.printStackTrace();
       }
      
      


       <application-policy name= "secureDomain">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="securityDomain">java:/jaas/secureDomain</module-option>
       <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.CertRolesLoginModule"
       flag = "required">
       <module-option name="rolesProperties">secureDomain-roles.properties</module-option>
       <module-option name="roleGroupSeperator">.</module-option>
       <module-option name="defaultRolesProperties">secureDomain-defaultRoles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      jaas.config
      secureDomain {
       org.jboss.security.auth.spi.CertRolesLoginModule required
       debug=true
       securityDomain="java:/jaas/secureDomain"
       java.naming.factory.initial="org.jnp.interfaces.NamingContextFactory"
       java.naming.provider.url="localhost:1099";
      
      };
      



      Stacktrace
      15:44:28,105 WARN [BaseCertLoginModule] Don't know how to obtain X509Certificate from: class [C
      15:44:28,105 ERROR [CertRolesLoginModule] The domain java:/jaas/other is not a SecurityDomain. All authentication using this module will fail!
      15:44:28,125 WARN [CertRolesLoginModule] Don't know how to obtain X509Certificate from: class [C
      15:44:28,125 INFO [STDOUT] javax.security.auth.login.LoginException: Don't know how to obtain X509Certificate from: class [C
      15:44:28,125 INFO [STDOUT] at org.jboss.security.auth.spi.BaseCertLoginModule.getAliasAndCert(BaseCertLoginModule.java:302)
      15:44:28,125 INFO [STDOUT] at org.jboss.security.auth.spi.BaseCertLoginModule.login(BaseCertLoginModule.java:179)
      15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      15:44:28,125 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      15:44:28,125 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585)
      15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
      15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
      15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
      15:44:28,125 INFO [STDOUT] at java.security.AccessController.doPrivileged(Native Method)
      15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
      15:44:28,125 INFO [STDOUT] at com.slb.secure.client.SecureClientSessionBean.callSecureClient(SecureClientSessionBean.java:57)
      15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      15:44:28,125 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      15:44:28,125 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585)
      15:44:28,125 INFO [STDOUT] at org.jboss.invocation.Invocation.performCall(Invocation.java:345)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:214)
      15:44:28,135 INFO [STDOUT] at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:149)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:154)
      15:44:28,135 INFO [STDOUT] at org.jboss.webservice.server.ServiceEndpointInterceptor.invoke(ServiceEndpointInterceptor.java:54)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:48)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:106)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:335)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:166)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:153)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:192)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624)
      15:44:28,135 INFO [STDOUT] at org.jboss.ejb.Container.invoke(Container.java:873)
      15:44:28,135 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      15:44:28,135 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      15:44:28,135 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      15:44:28,135 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585)
      15:44:28,135 INFO [STDOUT] at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
      15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
      15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
      15:44:28,135 INFO [STDOUT] at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155)
      15:44:28,135 INFO [STDOUT] at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104)
      15:44:28,135 INFO [STDOUT] at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:179)
      15:44:28,135 INFO [STDOUT] at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:165)
      15:44:28,135 INFO [STDOUT] at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
      15:44:28,135 INFO [STDOUT] at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55)
      15:44:28,135 INFO [STDOUT] at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:97)
      15:44:28,135 INFO [STDOUT] at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86)
      15:44:28,135 INFO [STDOUT] at $Proxy55.callSecureClient(Unknown Source)
      15:44:28,135 INFO [STDOUT] at org.apache.jsp.gateway_jsp._jspService(org.apache.jsp.gateway_jsp:95)
      15:44:28,135 INFO [STDOUT] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
      15:44:28,135 INFO [STDOUT] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      15:44:28,135 INFO [STDOUT] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322)
      15:44:28,135 INFO [STDOUT] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
      15:44:28,135 INFO [STDOUT] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
      15:44:28,135 INFO [STDOUT] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
      15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
      15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
      15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
      15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
      15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
      15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:159)
      15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      15:44:28,145 INFO [STDOUT] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      15:44:28,145 INFO [STDOUT] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      15:44:28,145 INFO [STDOUT] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      15:44:28,145 INFO [STDOUT] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      15:44:28,145 INFO [STDOUT] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
      15:44:28,145 INFO [STDOUT] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
      15:44:28,145 INFO [STDOUT] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
      15:44:28,145 INFO [STDOUT] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
      15:44:28,145 INFO [STDOUT] at java.lang.Thread.run(Thread.java:595)
      


       <application-policy name= "secureDomain">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="securityDomain">java:/jaas/secureDomain</module-option>
       <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
       <!-- <module-option name="verifier">com.slb.secure.CustomCertVerifier</module-option> -->
       </login-module>
       <login-module code="org.jboss.security.auth.spi.CertRolesLoginModule"
       flag = "required">
       <module-option name="rolesProperties">secureDomain-roles.properties</module-option>
       <module-option name="roleGroupSeperator">.</module-option>
       <module-option name="defaultRolesProperties">secureDomain-defaultRoles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      If anybody has an idea of how to get the good domain...

      thx

        • 1. Re: CertRolesLoginModule cannot find the good SecurityDomain
          Matt Boujonnier Newbie

          ok found,

          the "jaas.config " file content should be in :
          - a fiel called auth.conf
          - in the %JBOSS%/cliebnt dir

          Easy when you know it... maybe it will help somebody, a day.

          • 2. Re: CertRolesLoginModule cannot find the good SecurityDomain
            Hans Wolffenbuttel Expert

            There are many ways to declare a securityDomain. The way I have implemented it is to put a MBean inside the conf/jboss-service.xml that looks something like this:

             <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
             name="jboss.security:service=SecurityDomain">
             <constructor>
             <arg type="java.lang.String" value="CertLogin"></arg>
             </constructor>
             <attribute name="KeyStoreURL">resource:key/esb.keystore</attribute>
             <attribute name="KeyStorePass">*****</attribute>
             <attribute name="TrustStoreURL">resource:key/esb.keystore</attribute>
             <attribute name="TrustStorePass">*****</attribute>
             <depends>jboss.security:service=JaasSecurityManager</depends>
             </mbean>
            



            In your case you would have to change CertLogin into secureDomain.

            You can also define your securitydomain using web.xml and jboss-web.xml just look at the jmx-console example in the Jboss WIKI.

            Hopes this helps!

            Regards,

            Hans