I have been having a problem getting JBoss 4 to see my custom login modules. I traced through the source code, and what is happening is that there is an error in SecurityAssociationValve on line 146:
AuthenticationManager securityMgr = (AuthenticationManager) securityCtx.lookup("securityMgr");
2004-10-12 13:01:16,740 DEBUG [org.jboss.web.tomcat.security.SecurityAssociationValve] Failed to determine servlet
This reference does not look correct to me. Can anyone tell me how I could pursue this farther? Where are the JBoss internal JNDI references configured?
This stack trace does not match the 4.0.0 code so what is the version in use here? The jndi context is setup in the org.jboss.web.AbstractWebDeployer.linkSecurityDomain method. I think your seeing an issue that was fixed before the 4.0.0 release.
I am using 4.0.0RC2. Whoops! Maybe that's the problem. Thanks, I will give it a try.
It didn't work with the general release of 4.0.0 either. And I had the same problem with 3.2.6. It does work, however, with 3.2.7. I have not tried 4.0.1 yet but I wonder if this is somehow related to the jdk1.5.0 problems in both releases (yes, I am using 1.5.0)
oops again. It doesn't work with 3.2.7 either. My mistake.
The error I get is somewhat different. It refers to a missing users.properties file -- because the UsersRolesLogin module is getting invoked, which it shouldn't be. My login-config.xml file is the standard one with two new application policies, one for EJBs that calls the IdentityLoginModule and one for the web which calls a CustomDatabaseLoginModule that we have developed. Should I create the bug report or is there something else I am missing?
If you have a testcase that illustrates the problem.
I have been puzzled by this problem too and looked what caused the null pointer exception.
A bit about my environment:
I did a fresh checkout on -r JBoss_4_0_0_RC2 jboss-4.0
Then from the build, I run build.sh.
In my JBoss configuration I edited deploy/jmx-console.war/WEB-INF/classes jmx-console-roles.properties jmx-console-users.properties. Two new users test1=test1 and test2=test2. In the roles file, I gave test1 the proper JBossAdmin role, but test2 not, only having a 'test' role.
As well I uncommented the security settings in web.xml and jboss-web.xml to make security available for jmx-console.
Now, in my jboss, logging in with test1/test1 goes fine. Logging in with a non-existing user or false password also goes fine (the popup box returns). Logging in with a proper user with a false role however fails. I get the same NullPointer exception as described above for the SecurityAssociationValve.
Debugging, it turns out that hsession is null (108), the request does not have a session yet. When hsession.getId() is called, the NullPointer Exception is thrown (115).
I tried changing the httpRequest.getSession(false) call to httpRequest.getSession(true). The exception is not thrown any more, but I still do get some screen HTTP 403 Access denied. What would required functionality actually be for a case where a user does not have proper role? It would be nice to have the popup again with the proper message?
Curious what a proper solution would be.
Regards, Jan Kester
I fiinally got around to creating a test case, only to find that the problem has been fixed, both in the final release of 3.2.7 and in 4.0.1sp1. I haven't found the bug that specifically addressed it, so it must have been related to some other issue (such as JBAS-1165).