7 Replies Latest reply on Jul 5, 2004 1:33 AM by Mike Finn

    login-config.xml problem

    Anders Görtz Newbie

      Hi!

      I'm trying to password protect one of my .war files but have yet run out of luck. I think my problem lies within the login-config.xml file since the is a WARN in the log when reading this file, cut from the server.log file:

      2004-07-02 10:13:58,326 INFO [org.jboss.security.plugins.SecurityConfig] Started jboss.security:service=SecurityConfig
      2004-07-02 10:13:58,426 WARN [org.jboss.security.auth.login.XMLLoginConfigImpl] Failed to load config: file:/C:/Legatus/jboss-3.2.3/server/default/conf/login-config.xml
      org.jboss.security.auth.login.ParseException: Encountered "<?xml" at line 1, column 1.
      Was expecting one of:

      ...

      at org.jboss.security.auth.login.SunConfigParser.generateParseException()Lorg.jboss.security.auth.login.ParseException;(SunConfigParser.java:389)
      at org.jboss.security.auth.login.SunConfigParser.jj_consume_token(I)Lorg.jboss.security.auth.login.Token;(SunConfigParser.java:327)
      at org.jboss.security.auth.login.SunConfigParser.config()V(SunConfigParser.java:98)
      at org.jboss.security.auth.login.SunConfigParser.parse(Ljava.io.Reader;Lorg.jboss.security.auth.login.XMLLoginConfigImpl;Z)V(SunConfigParser.java:57)
      at org.jboss.security.auth.login.SunConfigParser.doParse(Ljava.io.Reader;Lorg.jboss.security.auth.login.XMLLoginConfigImpl;Z)V(SunConfigParser.java:79)
      at org.jboss.security.auth.login.XMLLoginConfigImpl.loadSunConfig(Ljava.net.URL;Ljava.util.ArrayList;)V(XMLLoginConfigImpl.java:273)
      at org.jboss.security.auth.login.XMLLoginConfigImpl.loadConfig(Ljava.net.URL;)[Ljava.lang.String;(XMLLoginConfigImpl.java:257)
      at org.jboss.security.auth.login.XMLLoginConfigImpl.loadConfig()V(XMLLoginConfigImpl.java:233)
      at org.jboss.security.auth.login.XMLLoginConfig.startService()V(XMLLoginConfig.java:152)
      at org.jboss.system.ServiceMBeanSupport.start()V(ServiceMBeanSupport.java:192)
      at jrockit.reflect.NativeMethodInvoker.invoke0(Ljava.lang.Object;ILjava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
      at jrockit.reflect.NativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
      at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
      at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;)Ljava.lang.Object;(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;)Ljava.lang.Object;(MBeanServerImpl.java:546)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(Ljava.lang.Object;Ljava.lang.reflect.Method;[Ljava.lang.Object;)Ljava.lang.Object;(ServiceController.java:976)
      at $Proxy0.start()V(Unknown Source)
      at org.jboss.system.ServiceController.start(Ljavax.management.ObjectName;)V(ServiceController.java:394)
      at jrockit.reflect.NativeMethodInvoker.invoke0(Ljava.lang.Object;ILjava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
      at jrockit.reflect.NativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
      at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
      at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;)Ljava.lang.Object;(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;)Ljava.lang.Object;(MBeanServerImpl.java:546)
      at org.jboss.mx.util.MBeanProxyExt.invoke(Ljava.lang.Object;Ljava.lang.reflect.Method;[Ljava.lang.Object;)Ljava.lang.Object;(MBeanProxyExt.java:177)
      at $Proxy4.start(Ljavax.management.ObjectName;)V(Unknown Source)
      at org.jboss.deployment.SARDeployer.start(Lorg.jboss.deployment.DeploymentInfo;)V(SARDeployer.java:226)
      at org.jboss.deployment.MainDeployer.start(Lorg.jboss.deployment.DeploymentInfo;)V(MainDeployer.java:832)
      at org.jboss.deployment.MainDeployer.deploy(Lorg.jboss.deployment.DeploymentInfo;)V(MainDeployer.java:642)
      at org.jboss.deployment.MainDeployer.deploy(Ljava.net.URL;)V(MainDeployer.java:605)
      at org.jboss.deployment.MainDeployer.deploy(Ljava.lang.String;)V(MainDeployer.java:589)

      My login-config.xml looks like this:

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      <!-- Used by clients within the application server VM such as
      mbeans and servlets that access EJBs.
      -->
      <application-policy name = "client-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="unauthenticatedIdentity">anonymous</module-option>
      </login-module>

      </application-policy>

      <!-- TFPortlets security domain -->
      <application-policy name = "snip">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"/>

      </application-policy>

      <!-- Security domain for JBossMQ -->
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
      </login-module>

      </application-policy>

      <!-- Security domains for testing new jca framework -->
      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "FirebirdDBRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sysdba</module-option>
      <module-option name = "userName">sysdba</module-option>
      <module-option name = "password">masterkey</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "JmsXARealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
      </login-module>

      </application-policy>

      <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name = "jmx-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      -->
      <application-policy name = "web-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      <!-- The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      -->
      <application-policy name = "other">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,
      unauthenticatedIdentity="nobody"
      -->

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>



      where the application-policy name = snip is the .war file that I want to password protect.

      /Anders

        • 1. Re: login-config.xml problem
          Oliver Henlich Newbie

          Hmm maybe you cut-n-pasted the login-config.xml file wrong,
          but it seems to be missing the root element defined in the DTD (security_config.dtd)

          The outline of the application-policy is:
          <policy>
           <application-policy name="security-domain-name">
           <authentication>
           <login-module code="login.module1.class.name" flag="control_flag">
           <module-option name = "option1-name">option1-value</module-option>
           <module-option name = "option2-name">option2-value</module-option>
           ...
           </login-module>
          
           <login-module code="login.module2.class.name" flag="control_flag">
           ...
           </login-module>
           ...
           </authentication>
           </application-policy>
          </policy>
          
          



          • 2. Re: login-config.xml problem
            Anders Görtz Newbie

            I'm sorry but I don't really see what you mean, what root-element?

            • 3. Re: login-config.xml problem
              Oliver Henlich Newbie

              hmm why did i post the example and make the policy element bold? The root element is policy.

              What does that mean? Everything inside this file must be contained inside a policy element (just like the example i posted shows).

              By everything we obviously do not mean the XML declaration at the top

              <?xml version="1.0" encoding="UTF-8"?>
              <!DOCTYPE policy PUBLIC
              "-//JBoss//DTD JBOSS Security Config 3.0//EN"
              "http://www.jboss.org/j2ee/dtd/security_config.dtd">
              



              • 4. Re: login-config.xml problem
                Anders Görtz Newbie

                Sorry, but I am all new to this.

                Yes, I forgot to copy the last line with the statement so that's not the error. I'm all out of ideas, I've tried different encoding of the file, taking away alla unnecessay spaces.

                • 5. Re: login-config.xml problem
                  Oliver Henlich Newbie

                  Hi.

                  Just tried your file...it is pretty broken.
                  So what i did, i took my vanilla login-config.xml from a clean JBoss installation and added your new security domain to the end like so:

                  <!-- TFPortlets security domain -->
                  <application-policy name = "snip">
                   <authentication>
                   <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"/>
                   </authentication>
                  </application-policy>
                  
                  


                  Notice that the login-module element is enclosed in an authentication element.

                  Also, you should really also mention what version of jboss you are using.
                  I'm using 3.2.4.

                  Another example of why your file is broken is:
                  <application-policy name = "client-login">
                   <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
                   <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                   <module-option name="unauthenticatedIdentity">anonymous</module-option>
                   </login-module>
                  </application-policy>
                  

                  there is no XML closing tag after the first login-module

                  • 6. Re: login-config.xml problem
                    Anders Görtz Newbie

                    Thank you!

                    Now I don't get any errors in the log anymore. How did you parse the xml document, by hand or with a program.

                    My really big problem still remains; when logging on to the service I can logon without entering any login info even though I've changed the web.xml and jbossweb.xml and created the users.- and roles.properties.

                    The version I'm running is 3.2.3

                    • 7. Re: login-config.xml problem
                      Mike Finn Apprentice

                      Post your web.xml and jboss-web.xml. Use the 'code' style when pasting them, so the XML doesn't get munged.

                      mike