1 2 Previous Next 19 Replies Latest reply on Jan 10, 2007 4:27 AM by Alexander Manes

    Dynamic registration of a custom login module?

    Andrew Apprentice

      I am pretty new to JBoss and am trying to figure out how to digest

      http://www.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig

      I understand the content of the XML, but not how to deploy this thing. What I have is two custom realm modules (LoginModule) that I want to use. One is for my JSF deployment (MyCompClientJSF.ear that contains a war file) and a web service deployment (MyCompWebService.ear that contains a war file).

      For each project I have a login-config.xml declared that I am currently putting in my war's META-INF directory. Here is a dummy one I tried just to see if I could get it working with a JBoss LoginModule:

      <?xml version="1.0" encoding="UTF-8"?>
      
      <application-policy name="TestRealm">
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag="required">
       <module-option name="usersProperties">test-users.properties</module-option>
       <module-option name="rolesProperties">test-roles.properties</module-option>
       </login-module>
      </application-policy>


      The problem is that I really don't know much about mbean's at all. Neither that WIKI or others seem to mention where to put the xml file with the server/mbean declaration and if there is a naming convention or anything that is required. If someone could help me with the deployment I would greatly appreciate it.

      My current deployment:
      server/default/
       Test.war
       META-INF/
       login-config.xml
       jboss.xml
       WEB-INF/
       lib/
       customLoginModule.jar
       (...)
       MyCompanyClientJSF.ear/
       META-INF/
       application.xml
       MyCompanyClient.war
       META-INF/
       login-config.xml
       jboss.xml
       WEB-INF/
       lib/
       customLoginModule.jar
       (...)

      My company is a software shop and not a hosting shop, so we don't control our client's JBoss servers and we want to keep deployment down to a minimum (I want to get as close as possible to dropping a couple of files in the "deploy" directory and it just works, and not have to modify and of the JBoss xml files that are provided).

      Thanks,
      Andrew

        • 1. Re: Dynamic registration of a custom login module?
          chris griffith Expert

          Andrew,

          What you want to do is to deploy the DynamicLoginConfig mBean. This mbean then will look for the login-config file you have specified in service.xml file (or embed in mbean config if using JBoss >= 4.0.3.) The DynamicLoginConfig is deployed depending on where you put the -service.xml file. I have always deployed it with my ear. But then again I have my ear's isolated from rest of server, so this is my only option. This is done by putting the -service.xml file along with login-config.xml file at base of ear, and then specify the -service.xml file as a java module in application.xml. I guess I could have also deployed it in a sar in my ear. I do not know what would happen if you just put -service.xml file in deploy directory.

          Are you still having trouble with this?

          • 2. Re: Dynamic registration of a custom login module?
            chris griffith Expert

            After further reading, I realize there is a better way...

            You have two ear's you mention as your projects, correct?

            In each ear, include at the base a .sar that contains

            *.sar/
             +--> META-INF/
             +--------> jboss-service.xml
             +--> login-config.xml
             +--> customLoginModules.jar
            


            where the jboss-service.xml contains the mbean element config'ing the DynamicLoginConfig mbean. Then deploy the sar with your ear by adding the module element to your jboss-app.xml



            • 3. Re: Dynamic registration of a custom login module?
              Andrew Apprentice

              Going to give this a shot, will let you know how it goes. Thanks

              • 5. Re: Dynamic registration of a custom login module?
                Andrew Apprentice

                Looks like it is working, thanks for the help

                • 6. Re: Dynamic registration of a custom login module?
                  Andrew Apprentice

                  Okay new problem. First ear works fine, but the 2nd ear generates an error:
                  org.jboss.deployment.DeploymentException: Trying to install an already registered mbean: jboss:service=DynamicLoginConfig

                  Obviously this is happening because I have the same mbean definition in both ear files. My question is what I should do about it? Is there a way to say "deploy if it doesn't already exist" in an mbean declaration? or is there a better way I can tackle the DynamicLoginConfig mbean deployment?

                  • 7. Re: Dynamic registration of a custom login module?
                    chris griffith Expert

                    Most likey this is because you did not change the name of the mbean in the descriptor file. If you just copy and pasted from wiki page, the name is the same as an already deployed mbean. So just rename it to something that is important to you.

                    enjoy, c

                    • 8. Re: Dynamic registration of a custom login module?
                      Nigel White Newbie

                      Hi j2ee_junkie!

                      I'm trying to implement my own LoginModule, again without having to configure any external config files.

                      I have the Login module, but I can't make it use it without changing the server/conf/login-config.xml. I'm using the Embedded Login Configuration in http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig

                      I'm putting that into a .sar file as you describe:

                      GF.ear
                      +--> GF.sar
                       +--> META-INF
                       | +--> jboss-service.xml
                       +--> CustomLoginModules.jar
                       +-->com/fcl/security/GreenfieldsLoginModule.class
                      +--> ejbs.jar
                      +--> webapp.war


                      jboss-service.xml looks like
                      <?xml version='1.0'?>
                      <!DOCTYPE policy PUBLIC
                       "-//JBoss//DTD MBean Service 4.0//EN"
                       "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
                      <server>
                       <!-- The custom JAAS login configuration that installs
                       a Configuration capable of dynamically updating the
                       config settings
                       -->
                       <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
                       name="jboss.security.tests:service=LoginConfig">
                       <attribute name="PolicyConfig" serialDataType="jbxb">
                       <jaas:policy
                       xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
                       xmlns:jaas="urn:jboss:security-config:4.1"
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                      
                       <!-- Our Greenfields login config -->
                       <jaas:application-policy name="Greenfields">
                       <jaas:authentication>
                       <jaas:login-module code="com.fcl.security.GreenfieldsLoginModule" flag="required">
                       <jaas:module-option name="unauthenticatedIdentity">anonymous</jaas:module-option>
                       <jaas:module-option name="principalClass">com.fcl.security.GreenfieldsUser</jaas:module-option>
                       <jaas:module-option name="ignorePasswordCase">true</jaas:module-option>
                       </jaas:login-module>
                      
                       <!-- Include the ClientLoginModule propagation -->
                       <jaas:login-module code="org.jboss.security.ClientLoginModule" flag="required">
                       <jaas:module-option name="password-stacking">true</jaas:module-option>
                       <jaas:module-option name="multi-threaded">true</jaas:module-option>
                       </jaas:login-module>
                      
                       </jaas:authentication>
                       </jaas:application-policy>
                       </jaas:policy>
                       </attribute>
                       <depends optional-attribute-name="LoginConfigService">
                       jboss.security:service=XMLLoginConfig
                       </depends>
                       <depends optional-attribute-name="SecurityManagerService">
                       jboss.security:service=JaasSecurityManager
                       </depends>
                       </mbean>
                      </server>
                      


                      But it's producing:

                      14:40:55,031 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
                      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
                       at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
                       at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
                       at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
                       at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
                       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                       at java.lang.reflect.Method.invoke(Method.java:585)
                       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
                       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                       at java.security.AccessController.doPrivileged(Native Method)
                       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587)
                       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521)
                       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330)
                       at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:306)
                       at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
                       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
                       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
                       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)
                       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)
                       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                       at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                       at java.lang.Thread.run(Thread.java:595)


                      One more thing.

                      Even when it called my LoginModule correctly - when I had edited the server's login-config.xml, the SessionContext.getCallerPrincipal() still returned an JBoss SimplePrincipal rather than the GreenFieldsUser object that I specified (and which is correctly produced by session.getUserPrincipal())

                      • 9. Re: Dynamic registration of a custom login module?
                        chris griffith Expert

                        Nigel,

                        What version of JBoss are you using?

                        Can you provide some TRACE logging of JBoss security layer aroung the time of authentication.

                        cgriffith

                        • 10. Re: Dynamic registration of a custom login module?
                          Nigel White Newbie

                          Version 4.0.3

                          How do I turn tracing on?

                          Update on not getting my custom Principal. I am getting a com.fcl.security.GreenfieldsUser out of the SessionContext, but I can't cast it to that (which was making me think it was just handing me a SimplePrincipal) I think it's from a different ClassLoader.

                          I have the GreenfieldsUser class file in the EJB jar that's inside the EAR. Surely that should then be usable?

                          • 11. Re: Dynamic registration of a custom login module?
                            Nigel White Newbie

                            Version 4.0.3

                            How do I turn tracing on?

                            Update on not getting my custom Principal. I am getting a com.fcl.security.GreenfieldsUser out of the SessionContext, but I can't cast it to that (which was making me think it was just handing me a SimplePrincipal) I think it's from a different ClassLoader.

                            I have the GreenfieldsUser class file in the EJB jar that's inside the EAR. Surely that should then be usable?

                            • 12. Re: Dynamic registration of a custom login module?
                              Nigel White Newbie

                              OK, I can cast the SessionContext.getCallerPrincipal() to my custom Principal class!

                              It's just started working!!

                              Hmm...

                              OK, now I just need this DynamicLoginConfig to work.

                              Any idea how I can add a DataSource without having to drop a seperate XML file into the deploy directory? I'd just like to keep everying inside the EAR.

                              • 13. Re: Dynamic registration of a custom login module?
                                Nigel White Newbie

                                It's just TOOOO weird.

                                I have to have an empty security domain in jboss.xml in my EJS jar:

                                <?xml version="1.0" encoding="UTF-8"?>
                                <jboss>
                                 <security-domain/>
                                </jboss>


                                If I put the correct security domain in (java:/jaas/Greenfields), it says:

                                15:45:21,781 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
                                java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
                                 at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
                                 at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
                                 at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
                                 at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
                                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                 at java.lang.reflect.Method.invoke(Method.java:585)
                                 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
                                 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                                 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                                 at java.security.AccessController.doPrivileged(Native Method)
                                 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                                 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                                 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:587)
                                 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:521)
                                 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:330)
                                 at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:121)
                                 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:67)
                                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                                 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
                                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                                 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
                                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                                 at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:178)
                                 at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:74)
                                 at $Proxy120.getAll(Unknown Source)
                                 at com.fcl.gf.mgr.ListMgr.getList(Unknown Source)



                                But then I have to put

                                @SecurityDomain("Greenfields")


                                At the declaration of my EJB

                                into the EJBs that I'm using, otherwise it says:

                                15:48:01,968 ERROR [STDERR] javax.ejb.EJBException: java.lang.IllegalStateException: isCallerInRole() called with no security conte
                                t. Check that a security-domain has been set for the application.
                                15:48:01,968 ERROR [STDERR] at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:69)
                                15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
                                15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:192)
                                15:48:01,984 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                                15:48:01,984 ERROR [STDERR] at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
                                15:48:01,984 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                                15:48:01,984 ERROR [STDERR] at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:5
                                )


                                THis isn't making sanse.

                                • 14. Re: Dynamic registration of a custom login module?
                                  chris griffith Expert

                                  Nigel,

                                  I put my_datasource-ds.xml file at the root of my ear. Then I add

                                   ...
                                   <module>
                                   <java>my_datasource-ds.xml</java>
                                   </module>
                                   ...
                                  


                                  to application.xml. This datasource then gets deployed/undeployed automatically with ear by service http://wiki.jboss.org/wiki/Wiki.jsp?page=XSLSubDeployer.

                                  Also AFAIK, you can do the same thing with your login-config.xml. I use the sar method described earlier because I package login modules inside the sar.

                                  Glad to hear you are coming along on solving your problems, cgriffith

                                  1 2 Previous Next