1 Reply Latest reply on Oct 2, 2006 5:49 AM by Rudy Tosin

    Intermittent losing of user principal in standalone Tomcat

    Rudy Tosin Newbie

      Hi All,


      I have web application running on JBoss 4.0.4. I use LdapLoginModule to secure the EJB tier. In the web tier, I add a filter that perform JAAS login (using client-login module) for every incoming request. Everything works fine, user's principal and credentials are propagated successfully from web tier to EJB tier.

      Problem arises when I try to move web tier to standalone Tomcat(version 5.5.17). The user's principal is lost in the middle of method calls. Here's the call sequence:

      1. do JAAS login in web tier
      2. call method1 in EJB tier - successful
      3. call method2 in EJB tier - successful
      4. call method3 in EJB tier - failed, user's principal is NULL
      5. do JAAS logout

      The strange thing is, I can invoke method3 in EJB tier successfully at least once if I try it a few times.

      Here's the stacktrace in Web tier (Tomcat):

      java.rmi.AccessException: SecurityException; nested exception is:
       javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
       at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
       at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:209)
       at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:1 36)
       at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
       at org.jboss.ejb.Container.invoke(Container.java:954)
       at sun.reflect.GeneratedMethodAccessor96.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
       at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
       at sun.reflect.GeneratedMethodAccessor101.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
       at sun.rmi.transport.Transport$1.run(Transport.java:153)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:595)
      Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java: 213)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
       at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:211 )
       at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:158)
       at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
       ... 23 more
      


      Here's the stacktrace in EJB tier (JBoss):
      2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=admin
      2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] local transaction exists - registering global tx if not present for Thread[RMI TCP Connection(428)-127.0.0.1,5,RMI Runtime]
      2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Transaction TransactionImpl:XidImpl[FormatId=257, GlobalId=quark/3739, BranchQual=, localId=3739] is already registered.
      2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Running commit phase. One phase? false
      2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Finished local commit/rollback method for GlobalTransaction:<null>:939
      2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Finished commit phase
      2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
      2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@a8018a{principal=admin,subject=null}
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin isValid, principal:admin, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170]
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170];credential.class=[C@27310413
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End validateCache, isValid=true
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End isValid, true
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
       Principal: admin
       Principal: Roles(members)
      , sc=org.jboss.security.SecurityAssociation$SubjectContext@34e0db{principal=admin,subject=26629440}
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
      2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@34e0db{principal=admin,subject=26629440}
      2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin isValid, principal:admin, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170]
      2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170];credential.class=[C@27310413
      2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End validateCache, isValid=true
      2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] End isValid, true
      2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
       Principal: admin
       Principal: Roles(members)
      , sc=org.jboss.security.SecurityAssociation$SubjectContext@15673be{principal=admin,subject=13167287}
      2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation] getCallerPrincipal, principal=admin2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170]
      2006-09-29 17:24:29,037 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
      2006-09-29 17:24:29,037 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@15673be{principal=admin,subject=13167287}
      2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1859504{principal=null,subject=null}
      2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
      2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@1859504{principal=null,subject=null}
      2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@73280f{principal=null,subject=null}
      2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
      2006-09-29 17:24:29,046 DEBUG [org.jboss.cache.interceptors.TxInterceptor] local transaction exists - registering global tx if not present for Thread[RMI TCP Connection(428)-127.0.0.1,5,RMI Runtime]
      



      I've searched the forum but I couldnt find any useful information related to my problem. Are there any additional configuration/steps that I've to do if I want to implement JAAS on seperate Tomcat + JBoss? Any help will be greatly appreciated.


      regards,



        • 1. Re: Intermittent losing of user principal in standalone Tomc
          Rudy Tosin Newbie

          The problem is solved after I added multi-threaded="true" in auth.conf.

          Taken from http://wiki.jboss.org/wiki/Wiki.jsp?page=ClientLoginModule


          When the multi-threaded option is set to true, each login thread has its own principal and credential storage. This is useful in client environments where multiple user identities are active in separate threads. When true, each separate thread must perform its own login. When set to false the login identity and credentials are global variables that apply to all threads in the VM. The default for this option is false.


          Does it mean that embedded Tomcat and standalone Tomcat handle the thread in different way (since I'm using the same code but got different result when I deployed them in diff environment)?

          regards,