[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
First , thanks for replying..I hope you are able to solve my problem
I am using form based authentication.
Essentially the username and password is grabbed via HTML form.heres the code
for my .vm template.
**login.vm**
| form action=/megs/logincheck.action?view=overview method=post
| table
| tr class=trCaption
| td color=whiteUserName :/td
| input type=text name=user size=12/
| /tr
| tr class=trCaption
| td color=whitePassword :/td
| input type=password name=password size=12/
| /tr
| tr
| td
| input type=submit value=Login/
| /td
| /tr
| /table
| /form
|
On submit, this calls the Servlet LoginCheckAction which loads the loginmodules
via LoginContext and performs authentication as shown below:
***LoginCheckAction.java***
| public class LogincheckAction extends ActionSupport
| {..
| ..
| ..
| static class AppCallbackHandler implements CallbackHandler
|{
| private String uname;
| private char[] pass;
|
| public AppCallbackHandler(String uname, char[] pass)
| {
| System.out.println(The username is: + uname);
| System.out.println(The password is: + pass);
| this.uname = uname;
| this.pass = pass;
| }
|
| public void handle(Callback[] callbacks) throws
| java.io.IOException, UnsupportedCallbackException
| {
| for (int i = 0; i callbacks.length; i++)
| {
| if (callbacks instanceof NameCallback)
| {
|NameCallback nc = (NameCallback) callbacks;
|nc.setName(uname);
| }
| else if (callbacks instanceof PasswordCallback)
| {
|PasswordCallback pc = (PasswordCallback) callbacks;
|pc.setPassword(pass);
| }
| else
| {
|throw new UnsupportedCallbackException(callbacks,
Unrecognized Callback);
| }
| }
| }
|}
|
| public String execute() throws Exception
| {
|char[] passwordarray = getPassword().toCharArray();
| try
| {
| AppCallbackHandler handler = new
| AppCallbackHandler(getUser(), passwordarray);
| lc = new LoginContext(megs, handler);
| System.out.println(Created LoginContext);
| lc.login();
|
|
| }
| catch (FailedLoginException le)
| {
| System.out.println(Login failed for Username : + getUser());
| System.out.println(Please check your username and password);
| return accessdenied;
| }
| System.out.println(LoginCheckAction executed); //This is printed
|
| HttpServletResponse response = ServletActionContext.getResponse();
| response.sendRedirect(/megs/overview.action?view=overview);
|
| return SUCCESS;
| }
|
|
| .
| ..
|
This executes properly as the last line is printed, so I am sure the login
succeeds, after that there is a redirect to the next servlet
OverviewAction.java which is where the problem occurs..
*OverviewAction.java**
|
| ...
| public String execute() throws Exception
| {
| ActionContext.getContext().getApplication().put(view, view);
| ActionContext.getContext().getApplication().put(submenu, );
| System.out.println(The view in overviewaction is: + view);
|
| //EXCEPTION IS THROWN AT THIS LINE
| setRegions(BeanUtil.getRegion().getRegionDevices());
| ..
| .
| }
| ...
| ...
|
*
The exception is thrown when the OverviewAction Servlet tries to call the
create method of the Region Bean.. :(
And here is my web.xml, I am not very sure if I have it configured correctly,
Maybe the problem lies in that.
It does include the login-config information. I tired using both BASIC and
FORM, doesnt make any difference though
|
|
|
[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
2 days and still no reply to my topic.. :( I am using the jboss 4.0.2 version.. well, i have done a lot of research on the exception insufficinet permissionsprincipal=[null]... and from what i found on the forums and the WIKI, my login.xml needs to be like that : login-config.xml*** application-policy name = megs login-module code = org.jboss.security.auth.spi.DatabaseServerLoginModule flag = required module-option name = unauthenticatedIdentityguest/module-option module-option name = dsJndiNamejava:/PostgresDS/module-option module-option name = principalsQuerySELECT passwd FROM users WHERE username=?/module-option module-option name = rolesQuerySELECT userrole, 'Roles' FROM userroles WHERE username=?/module-option /login-module login-module code = org.jboss.security.ClientLoginModule flag = required /login-module /application-policy *** However no use , it still fails , giving me the Insufficient permissions...principal=[null] exception... I also tried using the module-option name=password-stackinguseFirstPass/module-option in the login-config.xml file for Databaseserverloginmodule and/pr Clientloginmodule, no effect though...when used for the client login module only..it gives a ***No matching username found.exception*** I am sure the authentication info is not getting propogated , because the login is performed successfully and all my println statements are printed. There is a redirect code fragment in my code on successful login * HttpServletResponse response = ServletActionContext.getResponse(); response.sendRedirect(/megs/overview.action?view=overview); ** The call executes and the required class calls a function on ejb by the name region. This is where I get the exception. Is it because I am doing a redirect the authentication information is lost??/ or is it because I am missing something, somewhere in the configuration files, as a result of which I am unable to proceed??? Please do let me know View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3899702#3899702 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3899702 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
Yeah , I did notice that :) and rectify that , changed the query as well as the
application policy name. Now here is the problem I am facing.
In jboss.xml , the security-domain is sepcified as :
security-domain java:/jaas/megs /security-domain
I guess this makes jboss look for login modules when you attempt to login to a
site. I get the following exception :
java.rmi.AccessException: SecurityException; nested exception is:
java.lang.SecurityException: Insufficient method permissions,
principal=null, ejbName=Region, method=create, interface=HOME,
requiredRoles=[ManageUsers], principalRoles=[]
My auto-generated ejb-jar.xml file looks like this
ejb-jar
..
.
[CDATA[This is the Region session bean.]]
display-nameRegion Session Bean/display-name
ejb-nameRegion/ejb-name
{my home interface}
{my remote interface}
ejb-class{my ejb-class}/ejb-class
session-typeStateless/session-type
transaction-typeContainer/transaction-type
security-role-ref
role-nameManageUsers/role-name
role-linkManageUsers/role-link
/security-role-ref
...
..
.
!-- Assembly Descriptor --
assembly-descriptor
security-role
role-nameManageUsers/role-name
/security-role
security-role
role-nameScadaUser/role-name
/security-role
method-permission
role-nameManageUsers/role-name
ejb-nameRegion/ejb-name
method-namecreate/method-name
/method-permission
/assembly-descriptor
.
...
/ejb-jar
*
I am not sure what exactly is wrong, I tried changing the value of the
method-name tag to * instead of create, even that doesnt work though.
throws the same exception.
Can you please tell me what am I doing wrong :( . Also , I noticed , it doesnt
matter if I have auth.conf at all configured. Is this because of an upgrade in
the version , because tutorials on several previous versions tell us to
configure both client side and server side auth .conf files. Please guide me
with respect to that as well.
Waiting for your replies. Thank YOu, ur help is really appreciated :)
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3899022#3899022
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3899022
---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
Well I am still stuck with the exception reported earlier. I was hoping I could
get some replies for that :(.
My application needs authorized access to create and add users for the
application. Say, only users with the role 'ManageUsers' can create and add
users and users with role 'NormalUsers' can only browse through the site.
The application makes use of ejbs, servlets and the front-end is in velocity.
Heres my security configuration in ejb-jar.xml and web.xml. I am not very sure
how is it worked out. How do roles in web.xml map to those in ejb-jar.xml???
*web.xml**
web-app
display-nameEnterprise Management Console/display-name
filter-namesitemesh/filter-name
filter-class
com.opensymphony.module.sitemesh.filter.PageFilter
/filter-class
filter-mapping
filter-namesitemesh/filter-name
url-pattern/*/url-pattern
/filter-mapping
servlet-namewebwork/servlet-name
servlet-classcom.opensymphony.webwork.dispatcher.ServletDispatcher/servlet-class
load-on-startup1/load-on-startup
servlet-namevelocity/servlet-name
servlet-classcom.opensymphony.webwork.views.velocity.WebWorkVelocityServlet/servlet-class
load-on-startup1/load-on-startup
servlet-namesitemesh-velocity/servlet-name
servlet-classcom.opensymphony.module.sitemesh.velocity.VelocityDecoratorServlet/servlet-class
servlet-nameSecureServlet/servlet-name
servlet-class
com.megs.management.servlets.AdminAction
/servlet-class
run-as
Only admin can acces this
role-nameadmin/role-name
/run-as
servlet-mapping
servlet-nameSecureServlet/servlet-name
url-pattern/restricted/*/url-pattern
/servlet-mapping
servlet-mapping
servlet-namewebwork/servlet-name
url-pattern*.action/url-pattern
/servlet-mapping
servlet-mapping
servlet-namevelocity/servlet-name
url-pattern*.vm/url-pattern
/servlet-mapping
servlet-mapping
servlet-namesitemesh-velocity/servlet-name
url-pattern*.vm/url-pattern
/servlet-mapping
security-constraint
web-resource-collection
web-resource-nameSecureServlet/web-resource-name
Authorized access
url-pattern/restricted/*/url-pattern
/web-resource-collection
auth-constraint
role-nameManageUsers/role-name
/auth-constraint
/security-constraint
security-role
role-nameManageUsers/role-name
/security-role
/web-app
**
ejb-jar.xml
ejb-jar
[CDATA[No Description.]]
display-nameGenerated by XDoclet/display-name
enterprise-beans
!-- Session Beans --
[CDATA[This is the Region session bean.]]
display-nameRegion Session Bean/display-name
ejb-nameRegion/ejb-name
{my home interface}
{my remote interface}
ejb-class {my ejb-class} /ejb-class
session-typeStateless/session-type
transaction-typeContainer/transaction-type
security-role-ref
role-nameManageUsers/role-name
role-linkManageUsers/role-link
/security-role-ref
...
..
.
!-- Assembly Descriptor --
assembly-descriptor
security-role
role-nameManageUsers/role-name
/security-role
security-role
role-nameNormalUsers/role-name
/security-role
method-permission
role-nameManageUsers/role-name
ejb-nameRegion/ejb-name
method-namecreate/method-name
/method-permission
method-permission
role-nameNormalUsers/role-name
ejb-nameRegion/ejb-name
method-namecreate/method-name
/method-permission
/assembly-descriptor
...
/ejb-jar
PLEASE HELP ME OUT HERE :((
*
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3899178#3899178
Reply to the post :
[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
Well I am still stuck with the exception reported earlier. I was hoping I could
get some replies for that :(.
My application needs authorized access to create and add users for the
application. Say, only users with the role 'ManageUsers' can create and add
users and users with role 'NormalUsers' can only browse through the site.
The application makes use of ejbs, servlets and the front-end is in velocity.
Heres my security configuration in ejb-jar.xml and web.xml. I am not very sure
how is it worked out. How do roles in web.xml map to those in ejb-jar.xml???
*web.xml**
web-app
display-nameEnterprise Management Console/display-name
filter-namesitemesh/filter-name
filter-class
com.opensymphony.module.sitemesh.filter.PageFilter
/filter-class
filter-mapping
filter-namesitemesh/filter-name
url-pattern/*/url-pattern
/filter-mapping
servlet-namewebwork/servlet-name
servlet-classcom.opensymphony.webwork.dispatcher.ServletDispatcher/servlet-class
load-on-startup1/load-on-startup
servlet-namevelocity/servlet-name
servlet-classcom.opensymphony.webwork.views.velocity.WebWorkVelocityServlet/servlet-class
load-on-startup1/load-on-startup
servlet-namesitemesh-velocity/servlet-name
servlet-classcom.opensymphony.module.sitemesh.velocity.VelocityDecoratorServlet/servlet-class
servlet-nameSecureServlet/servlet-name
servlet-class
com.megs.management.servlets.AdminAction
/servlet-class
run-as
Only admin can acces this
role-nameadmin/role-name
/run-as
servlet-mapping
servlet-nameSecureServlet/servlet-name
url-pattern/restricted/*/url-pattern
/servlet-mapping
servlet-mapping
servlet-namewebwork/servlet-name
url-pattern*.action/url-pattern
/servlet-mapping
servlet-mapping
servlet-namevelocity/servlet-name
url-pattern*.vm/url-pattern
/servlet-mapping
servlet-mapping
servlet-namesitemesh-velocity/servlet-name
url-pattern*.vm/url-pattern
/servlet-mapping
security-constraint
web-resource-collection
web-resource-nameSecureServlet/web-resource-name
Authorized access
url-pattern/restricted/*/url-pattern
/web-resource-collection
auth-constraint
role-nameManageUsers/role-name
/auth-constraint
/security-constraint
security-role
role-nameManageUsers/role-name
/security-role
/web-app
**
ejb-jar.xml
ejb-jar
[CDATA[No Description.]]
display-nameGenerated by XDoclet/display-name
enterprise-beans
!-- Session Beans --
[CDATA[This is the Region session bean.]]
display-nameRegion Session Bean/display-name
ejb-nameRegion/ejb-name
{my home interface}
{my remote interface}
ejb-class {my ejb-class} /ejb-class
session-typeStateless/session-type
transaction-typeContainer/transaction-type
security-role-ref
role-nameManageUsers/role-name
role-linkManageUsers/role-link
/security-role-ref
...
..
.
!-- Assembly Descriptor --
assembly-descriptor
security-role
role-nameManageUsers/role-name
/security-role
security-role
role-nameNormalUsers/role-name
/security-role
method-permission
role-nameManageUsers/role-name
ejb-nameRegion/ejb-name
method-namecreate/method-name
/method-permission
method-permission
role-nameNormalUsers/role-name
ejb-nameRegion/ejb-name
method-namecreate/method-name
/method-permission
/assembly-descriptor
...
/ejb-jar
PLEASE HELP ME OUT HERE :((
*
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3899180#3899180
Reply to the post :
[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
Well, thanks for all those tips, I am trying out that right now. I am still a bit confused regarding the configuration of JAAS for JBOSS, I am developing an ejb application, so accordingly I guess I need to configure the following files: -- ejb-jar.xml -- jboss.xml -- login-config.xml How about auth.conf files for the server side and the client side? Dont I need to configure these? If so how do I go about configuring these?? View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3898713#3898713 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3898713 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
oks this is what I have till now, For Starters, I just need to verify, if a user with the username admin and password superuser can successfully login into the application. This is my Database Schema in postgresql users table which stores the user information * id (INTEGER PRIMARY KEY) * username (VARCHAR(64)) * password (VARCHAR(64)) userroles table which stores roles and corresponding user information * id (INTEGER PRIMARY KEY) * username (VARCHAR(64)) * userrole (VARCHAR(32)) My login-config.xml and postgres-ds.xml() are as follows: *postgres-ds.xml* local-tx-datasource jndi-namePostgresDS/jndi-name connection-urljdbc:postgresql://localhost/megs/connection-url driver-classorg.postgresql.Driver/driver-class user-namepostgres/user-name postgres /local-tx-datasource ***postgres-ds.xml*** **login-config.xml application-policy name = DefAuth login-module code = org.jboss.security.auth.spi.DatabaseServerLoginModule flag = required module-option name = unauthenticatedIdentityguest/module-option module-option name = dsJndiNamejava:/PostgresDS/module-option module-option name = principalsQuerySELECT passwd FROM users WHERE PrincipleID=?/module-option module-option name = rolesQuerySELECT userrole, 'Roles' FROM userroles WHERE PrincipleID=?/module-option /login-module /application-policy **login-config.xml I hope I am going correct so far.. I am using the Eclipse IDE along with xdoclet, which generates the deployment descriptor files(ejb-jar.xml and jboss.xml) automatically. Securtity domain is configured for jboss.xml as **jboss.xml* security-domain java:/jaas/megs /security-domain **jboss.xml* I want to know if apart from all this , are they are any other files that need configuration?? Also can You provide me with a snippet of code that would demonstrate how the authentication is handled via JAAS(LoginContext and CallBackHandlers..??) I can then proceed on extending the security architecture if I can get this going.. Please let me know about this as soon as possible. Thanks a bunch for all the help. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3898731#3898731 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3898731 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: JAAS Security in JBOSS 4.0 ISSUES??
Thanks a lot for that tip, I am going through the documentation and well by now I am familiar with the basics, but need to know how it works togetther as a whole, so was looking out for the example. Can you please provide me with the link for the DVD Store Trail Blazer? I was not able to locate it. Is that like a zip file or something that I can download and implement on my machine. Really appreciate your reply. Please let me know. Thanks a bunch View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3898285#3898285 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3898285 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - JAAS Security in JBOSS 4.0 ISSUES??
I am trying to implement JAAS security in JBOSS and need a proper working example for this. I tried executing the jaas_howto 3.2x , however it does not get deployed, i guess its probably because of the change in version. I came up across this article on the net which explains pretty well abt JAAS with JBOSS and tried to deploy that as well, however even that fails cos the software beign used is of a very old version and when I try to deploy it using the new version or even a later version , it doesnt work. I was unable to find jboss.2.4.5 for this article: http://www.ociweb.com/jnb/jnbJul2002.html#ocieducationalservices Please can anyone direct me to a simple straightforward working example of JAAS with JBOSS 4.0 (the latest version of JBOSS) or even any books references that give an indepth knowledge of JAAS with JBOSS. I want to implement the Databaseloginmodule using the postgresql database. Please do post back soon, thanks a bunch View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3898073#3898073 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3898073 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
