6 Replies Latest reply on Apr 12, 2010 9:37 PM by Celinio Fernandes

    Role Authorization problem with Custom Authenticator

    Brian English Newbie

      Hello, I am writing a custom Authenticator class that collects credentials from a Siteminder SMSESSION cookie. I created a security domain called CustomSMAuth and assigned the SimpleServerLoginModule to it. According to JBoss doc, this authenticator assigns a role of 'user' if the username and password are the same value. That is the behavior I'm trying to get.

      I can confirm that the Authenticator is executed and is working, but access is denied based on the user role authorization. I'm not sure if my authenticator class should be doing something different, or if I have a configuration issue with JBoss. Any help would be appreciated!

      The authenticator, after retrieving the userid value, does the following:

      GenericPrincipal userPrincipal = new GenericPrincipal(context.getRealm(), userid.trim(),userid.trim());
      session.setAttribute(Constants.SESS_USERNAME_NOTE, userPrincipal);
      request.setUserPrincipal(userPrincipal);
      register(request, response, userPrincipal, "SMSESSION", userid.trim(), userid.trim());
      return true;

      my web.xml:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Success</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>

      <auth-constraint>
      <role-name>user</role-name>
      </auth-constraint>

      </security-constraint>


      <login-config>
      <auth-method>SMSESSION</auth-method>
      </login-config>

      <security-role>
      <role-name>user</role-name>
      </security-role>


      jboss-web.xml:

      <jboss-web>
      <security-domain>java:/jaas/CustomSMAuth</security-domain>
      </jboss-web>


      login-config.xml:
      <application-policy name="CustomSMAuth">

      <login-module code = "org.jboss.security.auth.spi.SimpleServerLoginModule"
      flag = "required">
      </login-module>

      </application-policy>


      and the log excerpt showing output from my authenticator and the authorization failure:

      2007-12-03 09:54:44,518 DEBUG [com.sas.smutil.SMSESSIONAuthenticator] Login return code: 1
      2007-12-03 09:54:44,518 DEBUG [com.sas.smutil.SMSESSIONAuthenticator] Validation Accepted, setting user principal
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'sasdemo' with type 'SMSESSION'
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[sasdemo()]
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.realm.RealmBase] Username sasdemo does NOT have role user
      2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
      2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking for all roles mode: authOnly
      2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
      2007-12-03 09:54:44,533 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] authType=SMSESSION
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentLength=-1
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] contentType=text/html;charset=utf-8
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] cookie=JSESSIONID=6F898FB15DD78EC4EEBC503B5593873C; domain=null; path=/
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Pragma=No-cache
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Cache-Control=no-cache
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Expires=Wed, 31 Dec 1969 19:00:00 EST
      2007-12-03 09:54:44,533 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] header=Set-Cookie=JSESSIONID=6F898FB15DD78EC4EEBC503B5593873C; Path=/
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] message=Access to the requested resource has been denied
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] remoteUser=sasdemo
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] status=403
      2007-12-03 09:54:44,549 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ===============================================================

        • 1. Re: Role Authorization problem with Custom Authenticator
          Brian English Newbie

          I found one solution, though I'm not sure if this is the right solution.
          I used a different constructor for the GenericPrincipal that included a
          list of roles, which at the moment I just populated with a hardcoded role name, and it worked.

          I thought obtaining the role 'mapping' was a function of the login module, not the Authenticator? Apparently the Authenticator needs to include the roles in the user principal object.

          • 2. Re: Role Authorization problem with Custom Authenticator
            Vijay P Newbie

            Hi brengl, anyone,

            This obviously is a newbie question so try to answer even if it sounds trivial. I am using JBoss-4.0.5-GA, JDK 1.5.



            Currently, I am in the process of writing a Custom Form Authenticator and have an idea how to do it in jakarta-tomcat-5.0.28. The reason I need a custom Authenticator is for obtaining extra information from the User via the Form. I also have to do the Authentication from a non-Database/ non-LDAP source using APIs. For which I believe I have to write a custom Login Module as well. The Authorization (Role-Mapping) will be available from a Database.

            My Question to you ( since you have taken the similar route)

            1) What are the configuration/settings required for JBoss?. Please specify/elaborate the contents for web.xml, jboss-service.xml.) From your original post I do some idea. However I would like to make sure nothing was omitted for brevity.

            2)Did you manually modify the catalina.jar ( Authenticator.properties) to enable JBoss to recognize the Custom Auth Method? If no, then how is it possible?
            3) Where to install the Custom Authenticator Jar?
            4) Any Gotchas one needs to be aware of?


            Any help is appreciated,

            Thanks in advance.

            vparmar

            • 3. Re: Role Authorization problem with Custom Authenticator
              Brian English Newbie

              vparmar, I had forgotten that I made this inquiry, it seems you found a really old post. I appreciate the response though.

              What I ended up doing here was creating a custom LoginModule instead of an Authenicator class. That ended up doing what I needed. The way I set it up was to require that an HTTP server with a valid Siteminder agent be in front of JBoss as a reverse proxy. My LoginModule would then take the encrypted SMSESSION cookie from the HTTP server and I could validate it with the Siteminder Policy Server and retrieve identity and authorization information from the Policy Server in order to create a user Principal. If there is no valid SMSESSION cookie present the login fails.

              This doesn't create a true Siteminder 'agent' for JBoss, but it does allow integration with Siteminder through a reverse proxy.

              • 4. Re: Role Authorization problem with Custom Authenticator
                Vijay P Newbie

                brengl,

                Thanks for the quick response. I understand your use case was better served with the custom login module after all.

                Your response did give me ideas on one of my future action items related to Siteminder.

                vparmar

                • 5. Re: Role Authorization problem with Custom Authenticator
                  Brian English Newbie

                  One more comment to clarify, I made no provision in my login module to obtain credentials, ie callbackhandler or anything like that. It strictly relied on a valid SMSESSION cookie. If it was available and valid it would succeed, otherwise it would fail.

                  • 6. Re: Role Authorization problem with Custom Authenticator
                    Celinio Fernandes Novice

                    Brian,
                    can you share the code of that custom LoginModule ?
                    And how did you set up this HTTP server with a valid Siteminder agent  in front of JBoss as a reverse proxy ?
                    Thanks.