4 Replies Latest reply on Jun 18, 2009 1:13 AM by Calvin Lin

    Authentication in ejb container fails to use security domain

    Calvin Lin Newbie

      We found this problem when moving from JBoss 4 to JBoss 5.0.1.

      Here is the server.log:

      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) Creating SDC for domain=CLIENT_LOGIN_MODULE
      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@1298c7d
      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy@c677a7
      2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy@c677a7
      2009-06-10 21:15:16,838 ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Failed to load users/passwords/role files
      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
      at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
      at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
      at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
      at org.jboss.security.javaee.EJBAuthenticationHelper.isValid(EJBAuthenticationHelper.java:87)
      at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:543)
      at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:540)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.ejb.plugins.SecurityActions.isValid(SecurityActions.java:539)
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:314)
      at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
      at org.jboss.ejb.Container.invoke(Container.java:1046)
      at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
      at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
      at $Proxy120.create(Unknown Source)
      at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
      at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
      at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:396)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
      at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
      at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:619)
      2009-06-10 21:15:16,853 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (http-0.0.0.0-8080-1) Error in Security Interceptor
      java.lang.SecurityException: Authentication exception, principal=CEAdmin
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
      at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
      at org.jboss.ejb.Container.invoke(Container.java:1046)
      at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
      at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
      at $Proxy120.create(Unknown Source)
      at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
      at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
      at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:396)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
      at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
      at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
      at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
      at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:619)

      The jboss.xml file in our server ejb's META-INF:

      <?xml version="1.0"?>

      <enterprise-beans>

      <ejb-name>Engine</ejb-name>
      <jndi-name>FileNet/Engine</jndi-name>
      <local-jndi-name>FileNet/Local/Engine</local-jndi-name>


      <ejb-name>EngineCore</ejb-name>
      <local-jndi-name>FileNet/Local/EngineCore</local-jndi-name>


      <ejb-name>EngineContent</ejb-name>
      <jndi-name>FileNet/EngineContent</jndi-name>
      <local-jndi-name>FileNet/Local/EngineContent</local-jndi-name>


      <ejb-name>EngineContentCore</ejb-name>
      <local-jndi-name>FileNet/Local/EngineContentCore</local-jndi-name>

      </enterprise-beans>
      <container-configurations>
      <container-configuration>
      <container-name>Standard Stateless SessionBean</container-name>
      <security-domain>java:/jaas/FileNet</security-domain>
      </container-configuration>
      </container-configurations>


      In JBoss 5.0.1, we found that the SecurityInterceptor correctly retrieved the security domain from jboss.xml. However, when it is inside EJBAuthenticationHelper.isValid() the security domain is "CLIENT_LOGIN_MODULE".

      Since there is no "CLIENT_LOGIN_MODULE" application-policy defined in our login-config.xml file, it falls back to "other" and executes the wrong login module - UsersRolesLoginModule.

      Does anyone know why the security domain override via jboss.xml is not working in JBoss 5?
      How do we get the ejb authentication to use "FileNet" as specified in the jboss.xml?

      We tried adding <security-domain>java:/jaas/FileNet</security-domain> as a top level element in jboss.xml to no avail.

      Does anyone experience the same issue when migrating from JBoss 4 to 5?

        • 1. Re: Authentication in ejb container fails to use security do
          Anil Saldanha Master

          Our test suite has test(s) for container configurations and security domain defined in container configs (jboss.xml). I am surprised that you have this issue.

          Try with AS5.1.0. I am not saying that your issue is solved.

          You can first try to create a sample ejb project (ejbs) and reproduce the failure. After that, you can create a jira issue in JBAS and attach the sample project to the jira for a faster resolution.

          • 2. Re: Authentication in ejb container fails to use security do
            jaikiran pai Master

             

            We tried adding <security-domain>java:/jaas/FileNet</security-domain> as a top level element in jboss.xml to no avail.


            I remember there was a change in AS-4.x where the security domain name was no longer expected to contain the java:/jaas prefix. I guess you were using a 4.0.x version of JBoss (which expected the java:/jaas to be present). Try using:

            <security-domain>FileNet</security-domain>


            As Anil mentioned, we have some working testsuite and even tutorial for this exact same thing:

            http://www.jboss.org/file-access/default/members/jbossejb3/freezone/docs/tutorial/1.0.7/html/jboss.xml_deployment_descriptor.html
            http://anonsvn.jboss.org/repos/jbossas/projects/ejb3/trunk/docs/tutorial/jboss_deployment_descriptor/META-INF/jboss.xml

            • 3. Re: Authentication in ejb container fails to use security do
              Calvin Lin Newbie

              Thanks for your responses.
              We have tried using JBoss 5.1.0GA and ran into exactly the same problem.
              We also tried using <security-domain>FileNet</security-domain> as jaikiran mentioned, and the result was the same.

              We could ran Java client application using EJB transport without problems.
              This problem only occurs when we use an application that uses Web Services transport to connect to our application engine, which involves in having the WSI listener propagating the security information to EJB's security domain for authentication. Our WSI listener is implemented as a web servlet in JBoss web container which invokes FnClientLoginModule initially under the "FileNetP8Engine" application-policy, the authentication against LDAP is then performed in EJB container through the "FileNet" application-policy which is defined as the EJB security domain in jboss.xml.

              Here is the excerpt of the login-config.xml:

              <?xml version="1.0" encoding="UTF-8"?>

              <application-policy name="FileNetP8Engine">

              <login-module code="com.filenet.api.authentication.jboss.login.FnClientLoginModule" flag="required">
              <module-option name="multi-threaded">true</module-option>
              </login-module>

              </application-policy>
              <application-policy name = "FileNet">

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
              <module-option name="java.naming.provider.url">ldap://ldaphost:389</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              <module-option name="allowEmptyPasswords">false</module-option>
              <module-option name="bindDN">cn=CEAdmin,ou=FileNet,dc=ldaphost,dc=com</module-option>
              <module-option name="bindCredential">password</module-option>
              <module-option name="baseCtxDN">dc=ldaphost,dc=com</module-option>
              <module-option name="baseFilter">(cn={0})</module-option>
              <module-option name="rolesCtxDN">dc=ldaphost,dc=com</module-option>
              <module-option name="roleFilter">(uniqueMember={0})</module-option>
              <module-option name="matchOnUserDN">true</module-option>
              <module-option name="roleAttributeID">cn</module-option>
              <module-option name="uidAttributeID">cn</module-option>
              <module-option name="roleAttributeIsDN">false</module-option>
              </login-module>

              </application-policy>


              This mechanism has been working in JBoss 4.0.5 and 4.2.x.

              We will try reproduce the problem on a sample application.