Do you know the article about security by Scott Stark ? http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html
We wrote our own ServerLoginModule based on AbstractServerLoginModule/UserPasswordLoginModule of jboss. Therefore I'm not used to the tables and sql statements the DatabaseServerLoginModule requires :-( Annegret -----Ursprüngliche Nachricht----- Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 24. Januar 2002 13:00 An: [EMAIL PROTECTED] Betreff: Re: [JBoss-user] security problem with Jboss+Tomcat Hi, it's always me with the security topic! I think my problem is not in the authentication, but in role mapping, cause I got the printing: [Default] User 'leonardi' authenticated (but the user gets the HTTP-403!) I use the DatabaseServerLoginModule and this is the entry in my $jboss_home/conf/catalina/auth.conf: modulojdbc { org.jboss.security.auth.spi.DatabaseServerLoginModule required dsJndiName="java:/SQLServerPool" principalsQuery="SELECT Password FROM PRINCIPALS WHERE principalid=?" rolesQuery="SELECT Role, RoleGroup FROM ROLES WHERE principalid=?"; }; I have the following 2 tables in my database : PRINCIPALS(principalid, password) pk: principalid ROLES(principalid, role, rolegroup) pk: principalid,role fk: principalid references PRINCIPALS I have inserted some rows: PRINCIPALS: ('vincini','vincini') ('guest','guest') ROLES: ('vincini','docente','Roles') ('guest','studente','Roles') I also have a method in my MatDidEJB that invokes isCallerInRole("DOCENTE") and getCallerPrincipal().getName() So I've included these lines in the ejb-jar.xml: <session> <ejb-name>MatDidEJB</ejb-name> <home>ejb.MatDid.MatDidHome</home> <remote>ejb.MatDid.MatDidEJB</remote> <ejb-class>ejb.MatDid.MatDidBean</ejb-class> <session-type>Stateful</session-type> <transaction-type>Container</transaction-type> <security-role-ref> <role-name>STUDENTE</role-name> <role-link>studente</role-link> </security-role-ref> <security-role-ref> <role-name>DOCENTE</role-name> <role-link>docente</role-link> </security-role-ref> </session> Should I add a row in the ROLES table like this: ('vincini','DOCENTE','CallerPrincipal') ? If I add it, the user "vincini" gets an error cause the getCallerPrincipal().getName() returns the String "DOCENTE" instead of "vincini"!!! When should the rolegroup "CallerPrincipal" be used? PLEASE HELP! Thanks >From: Andrea Cervellati <[EMAIL PROTECTED]> >Subject: Re: [JBoss-user] security problem with Jboss+Tomcat >To: [EMAIL PROTECTED] >MIME-Version: 1.0 >Content-MD5: 4lZxn5WGyVjGwspHWCT5Tw== >X-BeenThere: [EMAIL PROTECTED] >X-Mailman-Version: 2.0.5 >List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/jboss-user>, <mailto:[EMAIL PROTECTED]?subject=subscribe> >List-Id: The JBoss User main mailing list <jboss-user.lists.sourceforge.net> >List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/jboss-user>, <mailto:[EMAIL PROTECTED]?subject=unsubscribe> >List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=jboss-user> >X-Original-Date: Thu, 24 Jan 2002 08:24:04 +0100 (MET) >Date: Thu, 24 Jan 2002 08:24:04 +0100 (MET) >Content-Transfer-Encoding: 8bit >X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by sparc20.ing.unimo.it id IAA04720 > >Hi David, > >thank you very much for your help. > >I've configured all the files you said. Are you using Jboss 2.4.3 Tomcat 4? I >had problem in security authentications with this version. >It's for that reason that I tried the previous release of tomcat. >My problem was that the server seemed to recognize the user 'cause it printed >the following: > >[EmbeddedCatalinaServiceSX] jsp: init >[Default] User 'leonardi' authenticated. > >but then the user got an HTTP-403 error. >If the same user tried to access the same resource again, the login went well. > >I couldn't figure out the problem, so I posted the question here and someone >told me that tomcat 4 is buggy with security. >Anyway when I installed Jboss 2.4.3 Tomcat 3.2.3 my application did not work >well and gave me problems that I had not before! For examples I couldn't use the >jakarta xsl taglibs (with Jboss 2.4.3 Tomcat 4 it worked!), and it couldn't >recognize security restriction anymore! > >Looks strange, doesn't it?! > >If only I could fix the security problem with Jboss 2.4.3 Tomcat 4, it would be >the end of all my troubles!!! > >Any idea? > >Thanks again > >>From: "David Hamilton" <[EMAIL PROTECTED]> >>To: "Andrea Cervellati" <[EMAIL PROTECTED]> >>Subject: Re: [JBoss-user] security problem with Jboss+Tomcat >>Date: Wed, 23 Jan 2002 19:14:48 -0000 >>MIME-Version: 1.0 >>Content-Transfer-Encoding: 8bit >>X-Priority: 3 >>X-MSMail-Priority: Normal >>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 >> >>Hi Andrea, >> >>I'm going to give a list of things to check. Not all of them may be >>required for you (depending on what you're trying to do) and some of them >>are part of the standard installation. >> >>web.xml (in .war/.ear file) - need to specify secured area and login type. >> >>jboss-web.xml (in .war/.ear file) - need to specify security domain name to >>sync up with that used in jboss.xml >> >>jboss.jcml (jboss conf/tomcat dir) - need the JaasSecurityManagerService >>mbean (standard installation). >> >>auth.conf (jboss conf/tomcat dir) - need an entry to match the security >>domain name in jboss-web.xml and jboss.xml >> >>ejb-jar.xml (in .jar/.ear file) - need security roles for the beans. To >>allow unsecured access to a bean, put </unchecked> in the >><method-permission> element where you would normally have <role-name>. >> >>jboss.xml (in .jar/.ear file) - optionally need <enforce-ejb-restrictions > >>entry with 'true'. Definitely need <security-domain> entry with the >>security domain name (see jboss-web.xml and auth.conf). >> >>Hope this helps >> david >> >>----- Original Message ----- >>From: "Andrea Cervellati" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Wednesday, January 23, 2002 4:12 PM >>Subject: RE: [JBoss-user] security problem with Jboss+Tomcat >> >> >>Hi, >> >>I've installed the Jboss2.4.3_tomcat3.2.3 >> >>I can't understand why, but the same application that I had before >>running on JBoss2.4.3_tomcat4 now doesn't work! >> >>Any security constraint is ignored now! OMG! >>I'm wasting a lot of time trying to understand the reason. >>In addition I had another problem now that before I had not: the jakarta xsl >>taglib doesn't work! I need that taglib! >> >>How is it possible?! >> >>This is a bad nightmare! >> >>Someone suggested me to try with tomcat4.0.2 b2 but I don't know if it is a >>good idea. They say that milestones versions are buggy! >>And I don't know if I'm able to configure it with jboss (I was using the >>jboss+tomcat package before) >> >> >>please help! >> >> >>>From: "Sternagel Annegret (PN-SYS/PE)" <[EMAIL PROTECTED]> >>>To: "'Andrea Cervellati'" <[EMAIL PROTECTED]> >>>Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >>>Subject: RE: [JBoss-user] security problem with Jboss+Tomcat >>>MIME-Version: 1.0 >>>X-BeenThere: [EMAIL PROTECTED] >>>X-Mailman-Version: 2.0.5 >>>List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >>>List-Post: <mailto:[EMAIL PROTECTED]> >>>List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/jboss-user>, >><mailto:[EMAIL PROTECTED]?subject=subscribe> >>>List-Id: The JBoss User main mailing list >><jboss-user.lists.sourceforge.net> >>>List-Unsubscribe: >><https://lists.sourceforge.net/lists/listinfo/jboss-user>, >><mailto:[EMAIL PROTECTED]?subject=unsubscribe> >>>List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=jboss-user> >>>X-Original-Date: Tue, 22 Jan 2002 15:46:04 +0100 >>>Date: Tue, 22 Jan 2002 15:46:04 +0100 >>>Content-Transfer-Encoding: 8bit >>>X-MIME-Autoconverted: from quoted-printable to 8bit by sparc20.ing.unimo.it >>id >>QAA11854 >>> >>>Hello Andrea, >>> >>>I don't know how to solve your strange problem. >>>What I can say: >>> >>>the server output >>> [Default] User 'leonardi' authenticated. >>>shows that the user is recognized and the password is correct, >>>it says nothing about access rights. >>>The access rights are checked during the first access to a secured bean. >>> >>>Which exception exactly occurs when the login fails ? >>>Can you post the StackTrace ? >>> >>>Annegret >>> >>>P.S: Please post also to the list not only to me ;-) >>> >>>-----Ursprüngliche Nachricht----- >>>Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] >>>Gesendet: Dienstag, 22. Januar 2002 14:48 >>>An: [EMAIL PROTECTED] >>>Betreff: RE: [JBoss-user] security problem with Jboss+Tomcat >>> >>> >>>Thank you very much for the advice. >>> >>>I separated the ejbs into two different jar files and I fixed the problem. >>> >>>Anyway I have another problem. >>> >>>When I start up the server, the first user that tries to access the >>>protected >>>resources gets the login failure even if the credentials are right. The >>>strange >>>thing is that the server seems to recognize the user 'cause it prints the >>>following: >>> >>>[EmbeddedCatalinaServiceSX] jsp: init >>>[Default] User 'leonardi' authenticated. >>> >>>Another strange thing is that if the same user tries to access the same >>>resource >>>again, the login goes well. >>> >>>This happens not only with the user 'leonardi' but with any other user that >>>is >>>the first after a start up operation. >>> >>>I'm using a database login module and I have the configuration bound under >>>the >>>JNDI name 'java:/jaas/modulojdbc'. When the server is deploying the app I >>>can >>>read the message: >>> >>>[Container factory] Deploying MatDidEJB >>>[Default] lookup securityDomain manager name: java:/jaas/modulojdbc >>>[JaasSecurityManagerService] Created >>>securityMgr=org.jboss.security.plugins.JaasSecurityManager@4cd580 >>>[JaasSecurityManagerService] setCachePolicy, c=null >>>[JaasSecurityManagerService] Added modulojdbc, >>>org.jboss.security.plugins.JaasSecurityManager@4cd580 to map >>> >>>so it seems everything is ok! >>> >>>So what should I do? >>> >>>Thanks again >>> >>> >>> >>>>From: "Sternagel Annegret (PN-SYS/PE)" <[EMAIL PROTECTED]> >>>>To: [EMAIL PROTECTED] >>>>Subject: RE: [JBoss-user] security problem with Jboss+Tomcat >>>>MIME-Version: 1.0 >>>>X-BeenThere: [EMAIL PROTECTED] >>>>X-Mailman-Version: 2.0.5 >>>>List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >>>>List-Post: <mailto:[EMAIL PROTECTED]> >>>>List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/jboss-user>, >>><mailto:[EMAIL PROTECTED]?subject=subscribe> >>>>List-Id: The JBoss User main mailing list >>><jboss-user.lists.sourceforge.net> >>>>List-Unsubscribe: >>><https://lists.sourceforge.net/lists/listinfo/jboss-user>, >>><mailto:[EMAIL PROTECTED]?subject=unsubscribe> >>>>List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=jboss-user> >>>>X-Original-Date: Tue, 22 Jan 2002 09:39:08 +0100 >>>>Date: Tue, 22 Jan 2002 09:39:08 +0100 >>>>Content-Transfer-Encoding: 8bit >>>>X-MIME-Autoconverted: from quoted-printable to 8bit by >>sparc20.ing.unimo.it >>>id >>>KAA06826 >>>> >>>>The security-doamin in jboss.xml is valid for all beans it belongs to. If >>>>you want to restrict the security to particulary beans separate them in >>>>different jars with different jboss.xml. >>>> >>>>Annegret >>>> >>>>-----Ursprüngliche Nachricht----- >>>>Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] >>>>Gesendet: Montag, 21. Januar 2002 17:56 >>>>An: [EMAIL PROTECTED] >>>>Betreff: [JBoss-user] security problem with Jboss+Tomcat >>>> >>>> >>>>Hi, >>>> >>>> I'm using JBoss and Tomcat for my web application. >>>> >>>> I have two stateful session ejbs: InsegnamentiEJB and MatDidEJB. >>>> >>>> The MatDidEJB is restricted to a security domain, but the other is not. >>>> So I did not specify any method permission in the ejb-jar.xml for the >>>first >>>> >>>> bean, but only for the second one: >>>> >>>> <assembly-descriptor> >>>> <security-role> >>>> <role-name>docente</role-name> >>>> <assembly-descriptor> >>>> >>>> <method-permission> >>>> <role-name>docente</role-name> >>>> <method> >>>> <ejb-name>MatDidEJB</ejb-name> >>>> <method-name>*</method-name> >>>> </method> >>>> </method-permission> >>>> >>>> I want to use the database login module for the authentication of users >>so >>>>I >>>>had >>>> to change the standard configurations adding the following jboss.xml: >>>> >>>> <jboss> <security-domain>java:/jaas/modulojdbc</security-domain> >>>> </jboss> >>>> >>>> where modulojdbc is the JNDI name of the authorization configuration in >>>the >>>> >>>> auth.conf file. >>>> >>>> Then I have two JSPs: Insegnamenti.jsp and MatDid.jsp. >>>> >>>> When the user connects to the first he/she doesn't need to be >>>authenticated >>>>and >>>> can access to the related ejb. >>>> On the bottom of the page there is a link to the other jsp and if the >>user >>> >>>> clicks it he/she must authenticate himself/herself with a login form. >>>> >>>> My web.xml contains the following: >>>> >>>> <security-constraint> >>>> >>>> <web-resource-collection> >>>> <web-resource-name>area riservata</web-resource-name> >>>> <url-pattern>/MatDid.jsp</url-pattern> >>>> <http-method>DELETE</http-method> >>>> <http-method>GET</http-method> >>>> <http-method>POST</http-method> >>>> <http-method>PUT</http-method> >>>> </web-resource-collection> >>>> >>>> <auth-constraint> >>>> <role-name>docente</role-name> >>>> </auth-constraint> >>>> >>>> </security-constraint> >>>> >>>> >>>> The problem is that when the user connect to the Insegnamenti.jsp and >>>tries >>>>to >>>> connect to the InsegnamentiEJB the following exception occurs: >>>> >>>> javax.servlet.ServletException: checkSecurityAssociation; >>>> nested exception is: >>>> java.lang.SecurityException: Authentication exception, >>>> principal=null; nested exception is: >>>> java.rmi.RemoteException: checkSecurityAssociation; nested >>>> exception is: >>>> java.lang.SecurityException: Authentication exception, >>>> principal=null >>>> >>>> It seems that as long as I set the jboss configuration with the >>jboss.xml, >>>>any >>>> user that try to access the beans must be authenticated! WHY?! >>>> >>>> How can I restrict the authentication only to ONE particular ejb? >>>> >>>> PLEASE HELP!!!!! >>>> >>>> Thanks in advance >>>> >>>> bye >>>> >>>> >>>>_______________________________________________ >>>>JBoss-user mailing list >>>>[EMAIL PROTECTED] >>>>https://lists.sourceforge.net/lists/listinfo/jboss-user >>>> >>>>_______________________________________________ >>>>JBoss-user mailing list >>>>[EMAIL PROTECTED] >>>>https://lists.sourceforge.net/lists/listinfo/jboss-user >>> >>>_______________________________________________ >>>JBoss-user mailing list >>>[EMAIL PROTECTED] >>>https://lists.sourceforge.net/lists/listinfo/jboss-user >> >> >>_______________________________________________ >>JBoss-user mailing list >>[EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/jboss-user >> >> > > >_______________________________________________ >JBoss-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user