3 Replies Latest reply on Jan 31, 2005 11:36 AM by johnv

    ConfiguredIdentityLoginModule help

    johnv
    johnv Jan 28, 2005 9:07 PM

      I have the beans in my app protected by a security domain which uses a UsersRolesLoginModule. This is all good up until the point where my JMS connection factory tries to create a home interface on one of those beans. At this point I get the principal=[] message.

      Up to this point the sec domain successfully presented my forms-based login challenge, verified the creds provided, and created the JAAS Principal and populated that with the proper roles. It looks like that Principal is fine for the beans but now that the JMS is trying to invoke something on the beans it has no principal.

      I think I need to setup a ConfiguredIdentityLoginModule for my JMS conn factory but I can find next to nothing in terms of documentation on this login module. Believe me I have looked.

      I have set it up as follows in my login-config.xml:

      <application-policy name="myPolicy">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule flag="required"/>
      <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
      <module-option name="principal">testUser</module-option>
      <module-option name="userName">testUser</module-option>
      <module-option name="password">testpassword</module-option>
      <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=jms//MY_QUEUE_FACTORY</module-option>
      </login-module>

      </application-policy>

      Even if this didn't throw an exception I don't see how the ConfiguredIdentityLoginModule would map the principal name to the proper roles. Its not using roles.properties like the UsersRolesLoginModule. I assume there is a way to do this mapping but again, I cannot find doc on ConfiguredIdentityLoginModule.

      If I run this as is then when it gets to that point in the application where JMS is trying to create the home interface of a bean it throws:

      java.lang.SecurityException: Invalid authentication attempt, principal=[
      roles=[TestRole1],principal=anonymous]]. Error code[CNTRL-00002].




      • 4190 Views
      • Tags:
        • 1. Re: ConfiguredIdentityLoginModule help
          johnv
          johnv Jan 28, 2005 9:16 PM (in response to johnv)

          Just noticed I had both login modules as required. Changed them both to sufficient and now I get:

          javax.resource.spi.CommException: javax.jms.JMSSecurityException: User: testUser
          is NOT authenticated
          at org.jboss.resource.adapter.jms.JmsManagedConnection.setup(JmsManagedConnection.java:749)

            • Actions
          • 2. Re: ConfiguredIdentityLoginModule help
            starksm64
            starksm64 Jan 29, 2005 2:10 PM (in response to johnv)

            The jca login modules are described here:

            http://www.jboss.org/wiki/Wiki.jsp?page=ConfigJCALoginModule

            The ConfiguredIdentityLoginModule alone is not approriate for jms since it has no notion of roles. It would have to be combined with another login module which associated the roles expected by the destination security policy. I don't see the jboss version or jms destination or connection factory configuration being used here. These need to be pulled together to understand the complete picture.

              • Actions
            • 3. Re: ConfiguredIdentityLoginModule help
              johnv
              johnv Jan 31, 2005 11:36 AM (in response to johnv)

              Thanks for the link. It looks like CallerIdentityLoginModule would do what I need though combining that with my existing UsersRolesLoginModule is netting the same results.

              version: 4.0.1RC1


              destinations (note, I left out a couple '>' chars for this posting as they were causing the text not to show up in Preview. They are proper in the JBoss config file and validate successfully):

              <mbean code="org.jboss.mq.server.jmx.Queue"
              name="jboss.mq.destination:service=Queue,name=jms/MY_REQUEST_QUEUE"<depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager </depends

              <mbean code="org.jboss.mq.server.jmx.Queue"
              name="jboss.mq.destination:service=Queue,name=jms/MY_RESPONSE_QUEUE"<depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager </depends


              conn factory:

              <tx-connection-factory>
              <jndi-name>jms/MY_QUEUE_FACTORY</jndi-name>
              <xa-transaction/>
              <rar-name>jms-ra.rar</rar-name>
              <connection definition>org.jboss.resource.adapter.jms.JmsConnectionFactory</connection-definition>
              <config-property name="SessionDefaultType" type="java.lang.String">javax.jms.Queue</config-property>
              <config-property name="JmsProviderAdapterJNDI" type="java.lang.String">java:/DefaultJMSProvider
              </config-property>
              <config-property name="Strict" type="java.lang.Boolean">false</config-property>
              <max-pool-size>20</max-pool-size>
              <security-domain-and-application>myPolicy</security-domain-and-application>
              </tx-connection-factory>


              Here is my latest from login.xml:

              <application-policy name="myPolicy">

              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient"/>
              <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "sufficient">
              <module-option name = "userName">sa</module-option>
              <module-option name = "password"></module-option>
              <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=jms/MY_QUEUE_FACTORY</module-option>
              </login-module>

              </application-policy>



                • Actions