8 Replies Latest reply on Feb 20, 2006 2:43 PM by Scott Stark

    Access denied - Role mapping problem?

    Gunnar Grim Newbie

      Hi!

      I'm new to JBoss but not to J2EE, and I'm trying to port an application that works fine in Sun AS 8.

      The application is packaged as an EAR with one ejb module and one web module. It uses three roles, Users, Authors and Admins.

      When the client attempts to access a security constrained jsp, firefox shows a login dialog as expected, but the user id and password is not accepted.

      The first strange thing is that nothing is logged when an access fails, which makes it difficult for me to find the problem, so my first question is: How do I get the server to log access attempts?

      The EAR does not request any specific realm so I assume that the policy "other" is used. It probably is because I got error messages logged before I created "users.properties" and "roles.properties", and I don't get these errors anymore.

      I have mapped the roles in jboss-app.xml to principal names defined in "roles.properties". I also tried doing the same mapping in "jboss-web.xml" in the war file, although that shouldn't be necessary. I have even tried to map an application role to a specific user, defined in "users.properties".

      Below are the relevant sections from various deployment descriptors. Hope someone can tell me what I'm doing wrong, or at least show me how to get JBoss to log the accesses and reasons for failing.

      TIA,
      Gunnar Grim

      --------------------------------------------------------------------------------
      app.ear/app.war/WEB-INF/web.xml:

      <web-app>
      :
      <security-constraint>
      <display-name>Users</display-name>
      <web-resource-collection>
      <web-resource-name>Secure</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Users</role-name>
      </auth-constraint>
      </security-constraint>
      :
      </web-app>

      --------------------------------------------------------------------------------
      app.ear/META-INF/jboss-app.xml:

      <jboss-app>
      <security-role>
      <role-name>Users</role-name>
      <principal-name>users</principal-name>
      </security-role>
      <security-role>
      <role-name>Authors</role-name>
      <principal-name>authors</principal-name>
      </security-role>
      <security-role>
      <role-name>Admins</role-name>
      <principal-name>admins</principal-name>
      </security-role>
      </jboss-app>

      --------------------------------------------------------------------------------
      ~/jboss-4.0.3SP1/server/default/conf/login-config.xml:


      :
      <application-policy name = "other">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" />
      <module-option name="usersProperties">props/users.properties</module-option>
      <module-option name="rolesProperties">props/roles.properties</module-option>

      </application-policy>
      :


      --------------------------------------------------------------------------------
      ~/jboss-4.0.3SP1/server/default/conf/props/users.properties:

      gugrim=password

      --------------------------------------------------------------------------------
      ~/jboss-4.0.3SP1/server/default/conf/props/roles.properties:

      gugrim=users,authors,admins
      --------------------------------------------------------------------------------

        • 1. Re: Access denied - Role mapping problem?
          Gunnar Grim Newbie

          I have now found how to get the JAAS service to log at trace level and found the most basic problem:

          I my login-config.xml I had placed the module options outside the <login-module> tag instead of inside.

          I have also found that if I put real application role names, such as "Users" in the "roles.properties", authentication seems to work.

          So, my remaining question is: What is wrong with my role mapping?

          TIA,
          Gunnar Grim

          • 2. Re: Access denied - Role mapping problem?
            chris griffith Expert

            gugrim,

            You have not mentioned if you have set a security-domain in your jboss-app.xml and jboss-web.xml.

            cgriffith

            • 3. Re: Access denied - Role mapping problem?
              Gunnar Grim Newbie

              Yes I have, in jboss-app.xml. It points to the "other" domain. The user gets the roles according to the roles.properties. What I want to achieve is to use different role names in the application than the ones defined for the domain, and map the application roles to domain roles using <security-role> tags.

              Gunnar

              • 4. Re: Access denied - Role mapping problem?
                chris griffith Expert

                I think I see the problem.

                First, you have set up your roles.properties file to add the roles of 'users','authors', and 'admins' to prinipal 'gugrim'. You really want the roles of 'Users', 'Authors', and 'Admins'.

                Then in your mapping you are telling JBoss to add the role of 'Users' to principal 'users', etc.... However, the principal is 'guprim'. Unless you have users logging in with username 'users', 'authors', or 'admins' the mapping is not going to happen.

                Does this make more sense now? cgriffith

                • 5. Re: Access denied - Role mapping problem?
                  Gunnar Grim Newbie

                  Yes, it makes sense but it doesn't solve my problem. Perhaps I'm going about it the wrong way. What I want to acheive is this:

                  In my security domain I want to specify that the user "gugrim" is an "admin".

                  In one application I use a role name like "Admin", and I want to map that to the domain role "admin".

                  Another application may use the role name "Manager", which should also be mapped to the domain role "admin".

                  In other words; Different applications use different names for their roles internally. Through the mapping in jboss-app.xml I want to translate them to the actual role names used in the security domain.

                  This works fine in Sun's and BEA's servers, although they use the term "group" for the domain roles. I hope this can be done with JBoss also!

                  Thanks for your patience,
                  Gunnar

                  • 6. Re: Access denied - Role mapping problem?
                    chris griffith Expert

                    I think if you read the server guide chapter 8 (http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html#d0e18580)
                    you will find what your looking for. I have never used it, but it appears that you can use the username.xxxx semantics to define a group.

                    enjoy, cgriffith

                    • 7. Re: Access denied - Role mapping problem?
                      Gunnar Grim Newbie

                      Thanks, now I think I get it perhaps. Seems like JBoss has choosen a different path to allow the deployer to map application roles to domain roles. Instead of doing it in the deployment descriptor, like Sun and BEA does it, the application role names are known and provided by the login module. The EJB 2.1 specification is quite tolerant as to how this mapping should be done so I guess JBoss fullfills the spec requirements.

                      I better try it out for a while and get used to it before I decide which way I think is the better.

                      Thanks again,
                      Gunnar

                      • 8. Re: Access denied - Role mapping problem?
                        Scott Stark Master

                        Correct, I view the deployment descriptor as a poor location for role mapping. Its static and too coupled to the deployment when it should be a property of the security domain aspect associated with the deployment.