I'm posting again, because it blurred my code samples beyond worth when I
wrapped them in code tags... (Sorry about that):
Hello JBoss enthusiasts,
I am new to JBoss, and am attempting to convince it to respect my custom
login module through its implementation of JAAS.
I have read MANY web sites/forum entries on how to do this, but am sadly
missing something(s) about how to complete the endeavor.
I am developing in Eclipse, and my project consists of an Enterprise .ear
file project, encompassing a Dynamic Web Module .war file project.
I have edited the following files (<war-file-project>/WEB-INF/jboss-web.xml,
<war-file-project>/WEB-INF/web.xml,
and<jboss.install>/server/default/deploy/conf/login-config.xml. Please see
below for details of each.
I have coded up a custom login module, extending AbstractServerLoginModule,
which essentially just hard-codes a user name, (for now, I will doll it up when
I can get it called), and adds a role called "Authenticated".
I added the following content to jboss-web.xml, and sprinkled it into
<war-file-project>/WEB-INF, <war-file-project>/META-INF, and
<ear-file-project>/MEATA-INF,
trying to get it to have an impact. I think/guess it belongs in the
<war-file-project>/WEB-INF along with web.xml, but I could not find this hint
anywhere.
<?xml version="1.0" encoding="UTF-8"?>
<!-- The <security-domain> uses java:/jaas/GEHCSecurityRealm because it is the
Jboss specific JNDI name
used in gehc-login-confix.xml when JBoss deploys the loginModuld as a
managed service.
The pattern here is that JBoss prefixes its JAAS JNDI names with
java:/jaas-->
<jboss-web>
<security-domain>java:/jaas/GEHCSecurityRealm</security-domain>
</jboss-web>
I added the following constructs to web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>GEHCSecurityRealm</web-resource-name>
Protects CPWebService URL calls
<!-- <url-pattern>/CPWebService</url-pattern> -->
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- Uncommenting auth-constraint causes login to fail, uncomment when
able to call custom login module.
<auth-constraint>
<role-name>Authenticated</role-name>
</auth-constraint>
-->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>GEHCSecurityRealm</realm-name> <!-- Could this be how I
convince it to call my GEHCLoginModule, --apparently not -->
</login-config>
<security-role>
The role required to access /CPWebService calls
<role-name>Authenticated</role-name>
</security-role>
I added the following construct to login-conf.xml:
<!-- GEHC Custom authentication login module configuration -->
<application-policy name="GEHCSecurityRealm">
<login-module code="com.gehcit.cp.security.GEHCLoginModule"
flag="required"/>
</application-policy>
I enabled security trace/debug logging by adding the following lines to
<jboss-install>/server/default/conf/log4j.xml: (The appender-ref elements are
my attempt
to get the output to come to the console, although it still only ends up in
server.log; :-( Good enough).
<appender-ref ref="CONSOLE"/>
<appender-ref ref="CONSOLE"/>
<appender-ref ref="CONSOLE"/>
So... What I had HOPED to accomplish with the aforementioned configuration, is
that when I sent a request to this web service, with a url like /CPWebService,
(although it should happen for any url according to my <security-constraint>'s
<url-pattern>, that JBoss would delegate the login to my custom login module,
as
indicated in the login-conf.xml, because the jboss-web.xml listed the realm it
covers as the security realm for this "web application". I'm not 100%
confident in any of this, as it is all kinda heresay, gathered from the JBoss
documentation, and random input from forums and a several day google-fest. I
am open to any & all suggestions towards a solution. i.e. Please :-)
The application server starts up without any security complaints. However,
when I run my test call to a method under
http://localhost:8080/CentricityPractice/CPWebService, it produces the
following output:
2006-11-09 15:57:03,960 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Security checking request
POST /CentricityPractice/CPWebService
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking
constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService
-->
true
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking
constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService
-->
true
2006-11-09 15:57:03,975 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Calling
hasUserDataPermission()
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] User data
constraint has no restrictions
2006-11-09 15:57:03,975 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-11-09 15:57:03,975 TRACE
[org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles null
2006-11-09 15:57:03,975 TRACE
[org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Passing all access
2006-11-09 15:57:03,975 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all
security constraints
2006-11-09 15:57:03,975 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke,
callernull
2006-11-09 15:57:03,975 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener]
CPWebService, runAs: null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener]
CPWebService, runAs: null
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass
It would appear that it is logging in just fine, ... I just have no idea what
module it's using, is there any way to tell?
When I uncomment the auth-constraint in the security-constraint in web.xml, the
log produces the following content:
2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] Start
expire sessions StandardManager at 1163105605191 sessioncount 0
2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] End
expire sessions StandardManager processingTime 0 expired sessions: 0
2006-11-09 15:53:28,191 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Security checking request
POST /CentricityPractice/CPWebService
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking
constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService
-->
true
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking
constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService
-->
true
2006-11-09 15:53:28,191 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Calling
hasUserDataPermission()
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] User data
constraint has no restrictions
2006-11-09 15:53:28,191 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-11-09 15:53:28,191 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate()
test
2006-11-09 15:53:28,191 TRACE [org.jboss.security.SecurityAssociation] clear,
server=true
This failure makes sense to me, because whatever user it is automatically
assuming hasn't been gifted with the "Authenticated" role. Incidentally, if it
was
calling my login module, the following method would grant the user with this
role:
public Group[] getRoleSets() {
// Our security at this level (authentication) isn't role based, so we
have a simple fudge role to
// satisfy the requirement of JBoss having role based authentiacation.
log.debug("!!!!!!!!!!!!!!!!!!!!!!!! getRoleSets
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
Group rolesGroup = new SimpleGroup("Roles");
rolesGroup.addMember(new SimplePrincipal("Authenticated"));
return new Group[] {rolesGroup};
}
Does anyone know what I'm missing, care to co-miserate, anything?
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3984659#3984659
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3984659
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
