9 Replies Latest reply on Feb 24, 2005 9:24 AM by edikus

    JBoss 4: bug in SecurityAssociationValve?

    edikus

      I have been having a problem getting JBoss 4 to see my custom login modules. I traced through the source code, and what is happening is that there is an error in SecurityAssociationValve on line 146:
      AuthenticationManager securityMgr = (AuthenticationManager) securityCtx.lookup("securityMgr");

      2004-10-12 13:01:16,740 DEBUG [org.jboss.web.tomcat.security.SecurityAssociationValve] Failed to determine servlet
      java.lang.NullPointerException
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:115)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
      at java.lang.Thread.run(Thread.java:595)

      This reference does not look correct to me. Can anyone tell me how I could pursue this farther? Where are the JBoss internal JNDI references configured?
      Thnks

        • 1. Re: JBoss 4: bug in SecurityAssociationValve?
          starksm64

          This stack trace does not match the 4.0.0 code so what is the version in use here? The jndi context is setup in the org.jboss.web.AbstractWebDeployer.linkSecurityDomain method. I think your seeing an issue that was fixed before the 4.0.0 release.

          • 2. Re: JBoss 4: bug in SecurityAssociationValve?
            edikus

            I am using 4.0.0RC2. Whoops! Maybe that's the problem. Thanks, I will give it a try.

            • 3. Re: JBoss 4: bug in SecurityAssociationValve?
              edikus

              It didn't work with the general release of 4.0.0 either. And I had the same problem with 3.2.6. It does work, however, with 3.2.7. I have not tried 4.0.1 yet but I wonder if this is somehow related to the jdk1.5.0 problems in both releases (yes, I am using 1.5.0)

              • 4. Re: JBoss 4: bug in SecurityAssociationValve?
                edikus

                oops again. It doesn't work with 3.2.7 either. My mistake.

                • 5. Re: JBoss 4: bug in SecurityAssociationValve?
                  starksm64

                  Create a bug report on sourceforge with an example as the originally referenced stack trace is invalid.

                  http://sourceforge.net/tracker/?group_id=22866&atid=376685

                  • 6. Re: JBoss 4: bug in SecurityAssociationValve?
                    edikus

                    The error I get is somewhat different. It refers to a missing users.properties file -- because the UsersRolesLogin module is getting invoked, which it shouldn't be. My login-config.xml file is the standard one with two new application policies, one for EJBs that calls the IdentityLoginModule and one for the web which calls a CustomDatabaseLoginModule that we have developed. Should I create the bug report or is there something else I am missing?

                    • 7. Re: JBoss 4: bug in SecurityAssociationValve?
                      starksm64

                      If you have a testcase that illustrates the problem.

                      • 8. SecurityAssociationValve hession causes NullPointerException
                        jkester

                        I have been puzzled by this problem too and looked what caused the null pointer exception.
                        A bit about my environment:
                        I did a fresh checkout on -r JBoss_4_0_0_RC2 jboss-4.0
                        Then from the build, I run build.sh.

                        In my JBoss configuration I edited deploy/jmx-console.war/WEB-INF/classes jmx-console-roles.properties jmx-console-users.properties. Two new users test1=test1 and test2=test2. In the roles file, I gave test1 the proper JBossAdmin role, but test2 not, only having a 'test' role.
                        As well I uncommented the security settings in web.xml and jboss-web.xml to make security available for jmx-console.

                        Now, in my jboss, logging in with test1/test1 goes fine. Logging in with a non-existing user or false password also goes fine (the popup box returns). Logging in with a proper user with a false role however fails. I get the same NullPointer exception as described above for the SecurityAssociationValve.

                        Debugging, it turns out that hsession is null (108), the request does not have a session yet. When hsession.getId() is called, the NullPointer Exception is thrown (115).

                        I tried changing the httpRequest.getSession(false) call to httpRequest.getSession(true). The exception is not thrown any more, but I still do get some screen HTTP 403 Access denied. What would required functionality actually be for a case where a user does not have proper role? It would be nice to have the popup again with the proper message?

                        Curious what a proper solution would be.

                        Regards, Jan Kester

                        • 9. Re: JBoss 4: bug in SecurityAssociationValve?
                          edikus

                          I fiinally got around to creating a test case, only to find that the problem has been fixed, both in the final release of 3.2.7 and in 4.0.1sp1. I haven't found the bug that specifically addressed it, so it must have been related to some other issue (such as JBAS-1165).