3 Replies Latest reply on Mar 28, 2008 11:27 AM by Jon Gilmore

    Arrggh!  JAAS Policy File with JBOSS - Please Help!

    Jon Gilmore Newbie

      My application security runs great in Tomcat but when I run it in JBoss it doesn't work.

      I have deployed a DynamicLoginConfig MBean to specify the location of my custom login-config.xml:

      jboss-service.xml:

      <server>
      
       <!-- JG:
       Added this mbean so that jboss will look first in META-INF for the login config before looking in the config directory
       of the jboss root-->
       <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
       name="jboss:service=DynamicLoginConfig">
       <attribute name="AuthConfig">META-INF/jboss-login-config.xml</attribute>
       <!-- The service which supports dynamic processing of login-config.xml
       configurations.
       -->
       <depends optional-attribute-name="LoginConfigService">
       jboss.security:service=XMLLoginConfig
       </depends>
       <!-- Optionally specify the security mgr service to use when
       this service is stopped to flush the auth caches of the domains
       registered by this service.
       -->
       <depends optional-attribute-name="SecurityManagerService">
       jboss.security:service=JaasSecurityManager
       </depends>
       </mbean>
      </server>


      Where jboss-login-config.xml looks like this:

      <policy>
      
       <application-policy name="CustomerAdmin">
       <authentication>
       <login-module code="com.ftid.custadmin.security.HibernateLoginModule" flag="required">
       <module-option name="policy">META-INF/ClientAdmin.policy</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
      </policy>


      This works great, when logging into my application on JBoss my custom HibernateLoginModule class is called. However, I have a JAAS Policy file that looks like this..

      
      grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_customer" {
       permission com.ftid.custadmin.security.ViewIdPermission "/client/clientsView.*";
       permission com.ftid.custadmin.security.ViewIdPermission "/client/clientLandingPage.*";
      };
      
      grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_update_customer" {
       permission com.ftid.custadmin.security.ViewIdPermission "/client/clientEdit.*";
      };
      
      etc.
      


      How do I get the JBoss SecurityManager to read this JAAS policy file??

      In tomcat I simply had to do the following which works very well:

      System.setProperty("java.security.auth.login.config", sc.getRealPath("/WEB-INF/jaas.properties"));
      System.setProperty("java.security.auth.policy", sc.getRealPath("/WEB-INF/ClientAdmin.policy"));
      SecurityManager sm = System.getSecurityManager();
      .
      .
      .
      Permission perm = new ViewIdPermission("/client/clientEdit");
      sm.checkPermission(perm);
      


      When this code runs in JBoss an AccessControlException is thrown. It seems that JBoss creates it's own SecurityManager that hasn't been set up using my Policy file.

      HOW DO I GET JBOSS TO READ MY POLICY FILE ?? Please Help!!


        • 1. Re: JAAS Policy File with JBOSS - Please Help!
          Jon Gilmore Newbie

          I have now added the following line to the JAVA_OPTS section of run.bat

          -Djava.security.manager -Djava.security.policy=server.policy
          


          Next time I started JBoss I received the following error:

          Failed to boot JBoss:
          java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write) at java.security.AccessControlContext.checkPermission(AccessControlConte
          xt.java:264)
           at java.security.AccessController.checkPermission(AccessController.java:
          427)
           at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
           at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:
          1252)
           at java.lang.System.getProperties(System.java:561)
           at org.jboss.Main.<init>(Main.java:86)
           at org.jboss.Main$1.run(Main.java:489)
           at java.lang.Thread.run(Thread.java:595)
          


          I solved this problem by placing the following in the server.policy file (which, for convenience, is currently placed in the bin directory).

          grant {
          permission java.security.AllPermission;
          };
          


          So now my server starts. Great, I now know the the server.policy in the bin directory is being taken notice of. If I now put application specific permissions in the policy file like so:

          grant {
          permission java.security.AllPermission;
          };
          
          grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_customer" {
           permission com.ftid.custadmin.security.ViewIdPermission "/client/clientsView.*";
           permission com.ftid.custadmin.security.ViewIdPermission "/client/clientLandingPage.*";
          };
          
          grant Principal com.ftid.custadmin.security.ClientAdminPrincipal "view_update_customer" {
           permission com.ftid.custadmin.security.ViewIdPermission "/client/clientEdit.*";
          };
          


          It doesn't work, my application deployed onto JBoss simply gives access to all my subjects, no matter what principles they have assigned.

          Does anybody know how to get the application specific principal permissions loaded into the JBoss SecurityManager??

          • 2. Re: Arrggh!  JAAS Policy File with JBOSS - Please Help!
            Ragav Gomatam Novice

            Try adding your policies under $JBOSS_HOME/client/auth.conf

            Web container in jboss looks there & if authenticated passes the Subject seamlessly to ejb container.