5 Replies Latest reply on Sep 24, 2002 10:12 AM by David Jencks

    getConnection(user,pwd) should fail!!!!

    Lewis Henderson Novice

      I am building a 'ServerLoginModule' which uses the database 'security' to authenticate the user. I get a DataSource and call getConnection('user','pwd') with an invalid user/password combination and get a valid connection. If remove the user/password config stuff from JBoss.jcml, on startup I get :-
      java.lang.NullPointerException
      at org.jboss.pool.jdbc.xa.XAPoolDataSource.getConnection(XAPoolDataSource.java:178)
      at org.jboss.jdbc.XADataSourceLoader.startService(XADataSourceLoader.java:407)
      at org.jboss.util.ServiceMBeanSupport.start(ServiceMBeanSupport.java:107)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.configuration.ConfigurationService$ServiceProxy.invoke(ConfigurationService.java:836)
      at $Proxy0.start(Unknown Source)
      at org.jboss.util.ServiceControl.start(ServiceControl.java:81)
      at java.lang.reflect.Method.invoke(Native Method)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
      at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
      at org.jboss.Main.(Main.java:221)
      at org.jboss.Main$1.run(Main.java:127)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.Main.main(Main.java:123)

      but my LoginModule works....

      Any ideas on how to :-
      1) Stop the exception OR
      2) get a DataSource that will fail to give a Connection if I supply incorrect username/password values

      Kind regards

      Lewis

        • 1. Re: getConnection(user,pwd) should fail!!!!
          David Jencks Master

          Don't use the getConnection(user,pw) with the xadatasource loader stuff in 2.4. If there is a free connection in the pool, it returns it, no matter who the user is for that connection. Otherwise it sets the user/pw so subsequent connections obtained using getConection() use the last requested user/pw... I don't know why anyone would implement something like this...

          If you need more than one user for your database use jboss 3.0.2 or 3.2. You may be able to either use the CallerIdentityLoginModule so the app user/pw becomes the database user or write a MappingIdentityLoginModule to perform an arbitrary app user to db user mapping. With these your app would use getConnection() and jboss supplies the user/pw using the login module.

          I also don't quite understand what you are trying to do with your login module.

          • 2. Re: getConnection(user,pwd) should fail!!!!
            Lewis Henderson Novice

            I have a customer that uses the databases own 'security' to authenticate the user. If 'getConnection(user,pwd)' fails they are not authenticated. The 'roles' are stored in a table in the same database.

            I extended 'UsernamePasswordLoginModule'
            I call 'getConnection(user,pwd)' in the 'validatePassword()' and the 'getRoleSets()' overrides.

            Under 2.4 is it 'legal' to use the DriverManager directly in a LoginModule?... or is there a better way?

            Under 3.0.0 I use 'ByApplication' as the criteria for the connection pool attribute. This all seems to work!!

            Lewis

            • 3. Re: getConnection(user,pwd) should fail!!!!
              David Jencks Master

              > I have a customer that uses the databases own
              > 'security' to authenticate the user. If
              > 'getConnection(user,pwd)' fails they are not
              > authenticated. The 'roles' are stored in a table in
              > the same database.

              This won't work in 2.4.x. You are apt to get back a connection logged in as a random user.
              >
              > I extended 'UsernamePasswordLoginModule'
              > I call 'getConnection(user,pwd)' in the
              > 'validatePassword()' and the 'getRoleSets()'
              > overrides.
              >
              > Under 2.4 is it 'legal' to use the DriverManager
              > directly in a LoginModule?... or is there a better
              > way?

              You can do that, it is a very inefficient way of validating security since you have to establish a db connection for each authentication attempt. There's no obvious (to me) way in 2.4.x to keep using this user's connection for the work they want to do after authentication.
              >
              > Under 3.0.0 I use 'ByApplication' as the criteria for
              > the connection pool attribute. This all seems to
              > work!!

              Do you have CallerIdentityLoginModule set up?

              This is going to tend to have the same inefficiency problems as in 2.4, although at least jboss will keep giving you the same connection for the same user without any more work on your part.

              Is there any way to query the db system tables to authenticate and always log in as the same user?

              thanks
              david jencks
              >
              > Lewis

              • 4. Re: getConnection(user,pwd) should fail!!!!
                Lewis Henderson Novice

                ...What format is the 'binary' password in MSSQL Server in sysusers table? Under 2.4.x I may be able to do this hack...I don't like it...I think I'll force them to 3.0.x!!!!

                What is the CallerIdentityLoginModule? I have not got familiar with with 3.0.x yet...

                I currently have a 'working' 3.0.0 setup.

                Thanks

                Lewis

                • 5. Re: getConnection(user,pwd) should fail!!!!
                  David Jencks Master

                  CallerIdentityLoginModule uses the user/pw that was used to log into the application to log into the db.

                  I'd work with 3.0.2 rather than 3.0.0.