1 Reply Latest reply on Oct 6, 2009 6:27 AM by Bharanidharan Lakshmikanthan

    JAAS Security conversion from WebSphereAS to JBossAS

    Pam Cable Newbie

      JBoss Team --
      I am trying to convert an application using JAAS on WebSphere to be using JAAS on JBoss.
      I have been reviewing the documentation about JBossSX and the JBoss Security Integration Guide and counteless other documentation.

      However, I feel like I am still missing some things.

      1. The implementation in WebSphere contained a file named ibm-application-bnd.xmi that was located in the applicationEAR\META-INF folder.
      An excerpt from that file follows. My first question is - Is there some file that I need to define like this for the JBoss configuration?

      <?xml version="1.0" encoding="UTF-8"?>
      <applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi" xmi:id="ApplicationBinding_1103565947194">
      <authorizationTable xmi:id="AuthorizationTable_1103565947194">
      <authorizations xmi:id="RoleAssignment_1108662566127">

      <groups xmi:id="Group_1159457809140" name="App.Prod.~~~.BranchManager"/>
      <groups xmi:id="Group_1159457809141" name="App.Prod.~~~.BranchManager"/>
      <groups xmi:id="Group_1159457809142" name="App.Prod.~~~.BranchManager"/>
      ...


      2. I have the JAAS connecting to the LDAP but I am having some problems with the LDAP properties.
      Also, I still feel like I am missing something that tells the server how to match the LDAP groups to the role names
      specified in the web.xml

      So, with those questions asked here is my current setup:


      the application's (located in the War's WEB-INF folder)
      web.xml:
      ...
      <security-constraint id="SecurityConstraint_1159792191999">
      <display-name>Region Managers Resources</display-name>
      <web-resource-collection id="WebResourceCollection_1159792191999">
      <web-resource-name>Region Managers Resources</web-resource-name>

      <url-pattern>/admin/regionMan/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint id="AuthConstraint_1159792191999">

      <role-name>BranchManager</role-name>
      <role-name>Admin</role-name>
      </auth-constraint>
      </security-constraint>
      <security-constraint id="SecurityConstraint_1159792192015">
      <web-resource-collection id="WebResourceCollection_1159792192015">
      <web-resource-name>Assign Assistants</web-resource-name>

      <url-pattern>/admin/assistants/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint id="AuthConstraint_1159792192031">

      <role-name>BranchManager</role-name>
      <role-name>Admin</role-name>
      </auth-constraint>
      </security-constraint>
      <security-constraint id="SecurityConstraint_1159792192031">
      <web-resource-collection id="WebResourceCollection_1159792192031">
      <web-resource-name>Admin Resources</web-resource-name>

      <url-pattern>/admin/reports/*</url-pattern>
      <url-pattern>/admin/regionAdmin/*</url-pattern>
      <url-pattern>/admin/siteAdmin/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint id="AuthConstraint_1159792192032">

      <role-name>Admin</role-name>
      </auth-constraint>
      </security-constraint>
      <login-config id="LoginConfig_1159792192046">
      <auth-method>FORM</auth-method>
      <form-login-config id="FormLoginConfig_1159792192046">
      <form-login-page>/redirectToLogin.jsp</form-login-page>
      <form-error-page>/redirectToErrorLogin.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <security-role id="SecurityRole_1112738942726">

      <role-name>BranchManager</role-name>
      </security-role>
      <security-role id="SecurityRole_1112644368717">

      <role-name>Admin</role-name>
      </security-role>
      ...


      the application's (located in the War's WEB-INF folder)
      jboss-web.xml =
      <?xml version="1.0"?>
      <jboss-web>
      <!-- All secured web content uses this security manager -->
      <security-domain>java:/jaas/myAppAdmin</security-domain>
      </jboss-web>



      the server's
      login-config.xml =
      <application-policy name = "myAppAdmin">

      <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://server:389</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="java.naming.security.principal">username</module-option>
      <module-option name="java.naming.security.credentials">password</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="uidAttributeID">sAMAccountName</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      </login-module>

      </application-policy>





      When I run the application, I am currently getting the following LDAP error:

      Where I feel like I am still missing something is the fact that in WebSphere, we had to define an ibm-application-bnd.xmi file which looks like the below snippet. However, I am not sure where I would be putting this equivalent for the JBoss configuration.



      2008-02-07 10:47:44,407 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /contextRoot/j_security_check
      2008-02-07 10:47:44,423 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'pcable'
      2008-02-07 10:47:44,423 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=pcable
      2008-02-07 10:47:44,423 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory, false)
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory)
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.Proxy, false)
      2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.UndeclaredThrowableException, false)
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodError, false)
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.InvocationHandler, false)
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Name, false)
      2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
      2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManager.contextRoot] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@47cfb2
      2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@94b150
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory, false)
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory)
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
      2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManager.contextRoot] CachePolicy set to: org.jboss.util.TimedCachePolicy@4fe90
      2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@4fe90
      2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added contextRoot, org.jboss.security.plugins.SecurityDomainContext@550344 to map
      2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager.contextRoot] Begin isValid, principal:pcable, cache info: null
      2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager.contextRoot] defaultLogin, principal=pcable
      2008-02-07 10:47:44,454 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(contextRoot), size=9
      2008-02-07 10:47:44,454 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(contextRoot), authInfo=AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:name=uidAttributeID, value=sAMAccountName
      name=java.naming.security.authentication, value=simple
      name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
      name=java.naming.security.credentials, value=password
      name=matchOnUserDN, value=true
      name=java.naming.provider.url, value=ldap://server:389
      name=java.naming.security.principal, value=username
      name=roleAttributeIsDN, value=false
      name=roleAttributeID, value=memberOf

      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.LdapLoginModule, false)
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.LdapLoginModule)
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
      2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
      2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@15024292
      2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: contextRoot
      2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
      2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
      2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402890709 sessioncount 0
      2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
      2008-02-07 10:48:13,148 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=pcable, roleAttributeID=memberOf, matchOnUserDN=true, jboss.security.security_domain=contextRoot, java.naming.provider.url=ldap://server:389, roleAttributeIsDN=false, uidAttributeID=sAMAccountName, java.naming.security.authentication=simple, java.naming.security.credentials=***}
      2008-02-07 10:48:13,148 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(com.sun.jndi.ldap.LdapCtxFactory, false)
      2008-02-07 10:48:13,164 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=pcable
      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
      at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
      ...




      Yes, I do realize that the LDAP: error code 49 means that the username and/or password is incorrect.

      I guess I am just wanting to validate my migration path so far and determine how the ibm-application-bnd.xmi information fits into the JBoss Security Setup.
      Also, the login-config.xml - in the JBoss Security FAQ it says the <application-policy name="mydomain"> does the mydomain have to be the LDAP domain
      or just some name that I make up that has to be the same text put in the jboss-web.xml so that they match up?


      Any ideas?



      Thanks