Re: unable to login into jspwiki with jboss container authentication

Tue, 29 Jan 2008 23:57:48 -0800

Ahah! You've struck one of the limitations of using this form of container based authentication.
Basically, the JBoss users and roles files mechanism is really quite rudimentary and wasn't intended for anything serious I don't reckon. There is no mechanism at the jboss level that allows jspwiki to dynamically create new users or change passwords for authentication purposes. That only works if jspwiki is doing the authentication...but then that's not container based authentication. 


(By the way, why exactly do you want to use container based 
authentication? The usual reasons are single signon between web apps, 
and access to single authentication mechanism that other apps are using, 
and possibly a slightly stronger security model overall)



In a way, there are two parallel universes still going on: jboss has its 
own idea of users and roles, (and whatever authentication mechanism is 
used). And then jspwiki has its own separate repository of users and 
roles, which is actually still used for certain things even if not 
authentication. It is the latter which potentially allows for dynamic 
user creation and password changes.



I think the only way to do what you are looking at is to set up a 
database table containing the users and roles, use the JBoss jdbc 
authenticator instead of the basic one so that JBoss looks in the db to 
authenticate, and then on top of that use the jspwiki jdbc plugin for 
users and roles. They can both work against the same database.



I have something like this set up, but I don't allow dynamic user setup 
or password changes so I'm not sure if that actually works, but the 
theory says it should.


Hope this helps!

KS Rogers wrote:

Hi Milton,

Thank you for a very very detailed answer. After turning on the detailed
logging, as you suggested, I found that JBOSS is very case sensitive with
the application name in security policy. After I fixed that, I was able to
login.

However - one question is for the users that I have manually created the
names/passwords in users.properties and roles.properties, I am able to login
but how do I allow new users to be created on their own? The 'create user'
page is kind of disabled saying that only login is permitted. Am I missing
something here?

Regards.

On Jan 28, 2008 12:29 AM, Milton Taylor <[EMAIL PROTECTED]> wrote:


  

I have the current version of jspwiki running against JBoss 4.2.2, and
had earlier versions of both working together as well, so it does work!

Have you also uncommented the relevant section in web.xml?

What have you got in jboss-web.xml in your war's WEB-INF? Do you have a
specific security domain there? (That matches the domain in the jboss
security configuration?

Lastly, where have you put the jspwiki.policy file? THings have changed
in 2.6.

Also, did you  realise you have to delete log4j.jar and commons-logging
from your jspwiki WEB-INF folder? [Not related to security but can cause
problems]

You can turn on detailed security logging in the log4j.xml
file....should tell you why jspwiki can't get happening.  Don't do it
from jspwiki.properties


KS Rogers wrote:

    

Hi,

I am unable to login to jspwiki with jboss container authentication.

      

Below

    

are the log messages that I get. I have enabled the container

      

authentication

    

in jspwiki.properties:
jspwiki.authorizer =

      

com.ecyrd.jspwiki.auth.authorize.WebContainerAuthorizer

    

The authentication in jboss seems to be working fine, but is failing in
jspwiki. Someone please help...

I have these lines in jboss->users.properties
rk=Admin, Authenticated, extern, intern, User
rr=Admin
tt=Admin
tt.roles=Admin

I have these lines in jboss->roles.properties
rk=Admin, Authenticated, extern, intern, User
rr=Admin
tt=Admin
tt.roles=Admin


...
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.login.XMLLoginConfigImpl  - End
getAppConfigurationEntry(JSPWiki-container),
authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - initialize,
[EMAIL PROTECTED]
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - Security domain:

      

other

    

2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - findResource: null
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - Properties
file=file:/C:/install/Server/jboss-
4.0.5.GA/server/default/conf/users.properties, defaults=null
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] DEBUG
org.jboss.security.auth.spi.UsersRolesLoginModule  - Loaded properties,
users=[rr, tt, rk]
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - findResource: null
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - Properties
file=file:/C:/install/Server/jboss-
4.0.5.GA/server/default/conf/roles.properties, defaults=null
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] DEBUG
org.jboss.security.auth.spi.UsersRolesLoginModule  - Loaded properties,
users=[tt.roles, rr, tt, rk]
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - login
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] TRACE
org.jboss.security.auth.spi.UsersRolesLoginModule  - abort
2008-01-27 18:17:37,562 [http-0.0.0.0-8080-2] ERROR
com.ecyrd.jspwiki.auth.AuthenticationManager  - Couldn't log in.
Message=CallbackHandler does not support:
[EMAIL PROTECTED]



      



  






















					Reply via email to