9 Replies Latest reply on Jul 10, 2008 3:43 PM by Yasha Bhatt

    LoginModule with oracle datasource

    ubersloth Newbie

      Hi, everyone.
      I am new to JBoss, and am using version 4.2.1GA.
      I attempt to configure an oracle data source to use a LoginModule, but I keep getting the following error when I try to get a connection to it:

      Invalid authentication attempt, principal=null

      ava.lang.SecurityException: Invalid authentication attempt, principal=null org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:589) org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:395) org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:842) org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:88)

      Has anyone ever encountered this error, or to put it another way, has anyone been able to configure an oracle data source to use a Login Module?

      My login-config.xml:

       <application-policy name="MyDomain">
       <authentication>
       <login-module code = "org-jboss.resource.security.SecureIdentityLoginModule" flag = "required">
       <module-option name="username">hr</module-option>
       <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option>
       <module-option name="managedConnectionFactoryName">jboss.jca:name=java:jdbc/hr_connDS,service=LocalTxCM</module-option>
       </login-module>
       </authentication>
       </application-policy>
      

      My oracle-ds.xml:
      <datasources>
       <local-tx-datasource>
       <jndi-name>jdbc/hr_connDS</jndi-name>
       <connection-url>jdbc:oracle:thin:@192.168.41.69:1521:ORCL</connection-url>
       <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
       <security-domain>MyDomain</security-domain>
       <min-pool-size>20</min-pool-size>
       <max-pool-size>100</max-pool-size>
       <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
       <metadata>
       <type-mapping>Oracle9i</type-mapping>
       </metadata>
       </local-tx-datasource>
      
      </datasources>


      Any comments would be greatly, greatly appreciated.

      Elad.

        • 1. Re: LoginModule with oracle datasource
          Vicky Kak Master

          Try this

          <application-policy name="EncryptDBPassword">
           <authentication>
           <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
           flag = "required">
           <module-option name="usersProperties">props1/users.properties</module-option>
           <module-option name="rolesProperties">props1/roles.properties</module-option>
           </login-module>
           <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
           <module-option name="username">scott</module-option>
           <module-option name="password">-170dd0fbd8c13748</module-option>
           <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDSJAAS</module-option>
           </login-module>
           </authentication>
           </application-policy>

          You have to use the multiple login modules for authentication .
          You would be having the web tier which would be using the DataSource , the subject would be populated using that secured web tier .
          If you don't have secured web tier then the Login module would not populate the security credentials and thus you would get the exception what you are seeing .....




          • 2. Re: LoginModule with oracle datasource
            ubersloth Newbie

            Hi, vickyk.

            Thank you for your very quick reply. It was right over money.
            I've pored over jboss manuals for hours and googled intensively, but still this relatively simple solution hasn't presented itself.

            To make the solution work I used your suggested configuration. The only change I had to make was add this line:

            <module-option name="unauthenticatedIdentity">nobody</module-option>


            Again, thanks!

            • 3. Re: LoginModule with oracle datasource
              Vicky Kak Master

              Can you contribute by making a wiki for this ?



              • 4. Re: LoginModule with oracle datasource
                ubersloth Newbie


                Certainly. I am writing internal documentation about this and will wikify it once I'm done.

                • 5. Re: LoginModule with oracle datasource
                  Vicky Kak Master

                  Excellent :)

                  • 6. Re: LoginModule with oracle datasource
                    ubersloth Newbie

                    You can now find it here: http://www.jboss.com/wiki/Edit.jsp?page=ConfigDataSources
                    Under 'Configuring a DataSource to use login modules'.

                    • 7. Re: LoginModule with oracle datasource
                      Yasha Bhatt Newbie

                      Hi:

                      I have the exact same issue.
                      What do you put in the user.properties and roles.propertis file, and where do you place them? I am very new to Jboss also, and just trying to get the Oracle datasource password encryption to work, but it keeps failing with principal=null error. I do not know what "principal is"?
                      Can you please help me. I would really appreciate that!

                      Thanks.

                      • 8. Re: LoginModule with oracle datasource
                        Peter Johnson Master

                        bitti1976 - you should have started a new post instead of appending to a post that is almost a year old.

                        Did you look in the JBossAS directory structure for the user.properties and role.properties files?

                        You already asked about the password encryption question in another post, let's continue that discussion there.

                        The term "principle" refers to the login, and other security-related information, about the person/entity who is logged in.

                        • 9. Re: LoginModule with oracle datasource
                          Yasha Bhatt Newbie

                          Hello PeterJ:
                          I did actually start a new post, which happened to notice also. I responded to this post since I found this to be the closest to what I am trying to accomplish (and the error matches exactly with what I see in my test), and was getting really desparate for help. I wanted to give the solution in this post a try and see if that fixed my issues, but had a question about the user.properties and role.properties file.

                          I have looked at the JbossAS directory structure, and so far have only modified the properties file under $JBOSS_HOME/server/default/conf/props to secure the jmx-console.

                          Thanks you for your response to my other post. I appreciate your help.