[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
Good news is that I've tested in 4.0.3SP1 and it's working there. I did my tests just using the UsersRolesLoginModule, and initially against the 'other' security definition which worked. Then I noted how tomcat5.5.sar (META-INF/jboss-service.xml) links to jaas/other by default. So I duplicated and renamed it in login-config.xml to try it as a 'different' login config, and it still worked. login-config.xml: | | | | | | | jboss-web.xml: | java:/jaas/sec-test | Paranoid as I am I decided that maybe it was just failing and going to 'other', I then changed the default security domain to jbossmq, to ensure that I wasn't magically failling back to 'other' java:/jaas/jbossmq I know that UsersRolesLoginModule works. I still need to test with my custom login module, that will come tomorrow. If it works I'm going to pitch for a move to the new server, but I don't know if they'll go for it, and if they do, if it will be in my lifetime. Given the still heavy use of 3.2.3 it would be nice to be able to resolve the original problem though. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3939021#3939021 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3939021 --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
P.S. When it's working (java2ClassLoadingCompliance=true), the securityCtx that is returned is called NamingContext, and I think it's a NamingManager. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3939012#3939012 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3939012 --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
I've finally sat down and traced the code on this a little more. I've found the key difference as to why the secruity context is failing when java2ClassLoadingCompliance=false. However, I'm not able to tell yet why it's failing. I'm about to check this all out on JBoss AS 4.0.3SP1. However our current environment is AS 3.2.3 and I don't have the power to change that. Here's what I've got so far (in AS 3.2.3): When a web app is first accessed, JBoss attempts to lookup it's security context from a new InitialContext(). This is done by org.jboss.web.tomcat.security.JBossSecurityMgrRealm during the first call to the .invoke( Request, Response, ValveContext) method: public void invoke(Request request, Response response, ValveContext context) |throws IOException, ServletException |{ | try | { | try | { | Context securityCtx = getSecurityContext(); | if( subjectAttributeName != null && securityCtx != null ) Then it calls out to .getSecurityContext():81 which returns null as the securityCtx: private Context getSecurityContext() | { | Context securityCtx = null; | // Get the JBoss security manager from the ENC context | try | { | InitialContext iniCtx = new InitialContext(); // This works fine, but may not contain the security manager | securityCtx = (Context) iniCtx.lookup("java:comp/env/security"); | } | catch(NamingException e) | { | // Apparently there is no security context? | //([EMAIL PROTECTED]) No there is one, but it fails to look it up (java2ClassLoading=false) | } | return securityCtx; // Return's null when java2ClassLoading=false | } When it's left to the default: java2ClassLoadingCompliance="true" then it does find the security context. I'm going to test this out in JBoss 4.0.3, and I'm digging deeper into the name lookups, but that's where I'm having trouble tracing the operation of the program. Given the posts I've mentioned previously about people needing to set java2ClassLoadingCompliance="true" (Since in 4.0.1 it's false by default) in order to enable jaas I don't expect it to suddenly work, but I'll post what I find out. More to follow as I get further in my investigation... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3939009#3939009 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3939009 --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
louisaj, I have looked into the configuration of Tomcat 4.1.x used in JBoss 3.2.3. It seems as though things are quite different for this version than Tomcat5.5 in JBoss 4.0.x. I am sorry if I lead you down the wrong track by my lack of knowledge (ie ignorance) on this version. It appears as though the servlet container is configured through the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file. However, in this version the realm instance is not important. Like you said. At this point my lack of knowledge on your particular configuration forces me to sit down, and shut-up. Sorry, I could not help more. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3931975#3931975 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3931975 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
I'll read up on that. However, the assumptions I have made on how the security layer works are irrelevant. The point is that I have posted two examples. In one, the security authentication works with my custom login module. In the other one, security authentication does not work. The only change I've made between the two is to set java2ClassLoadingCompliance to "false". I have not touched the tomcat realm configuration. Also, it doesn't matter if I use my own custom login module, or one of the ones supplied by the core jboss instalation (like the users roles login module). If I configure my application to use any of them it works, until I set java2ClassLoadingCompliance to "false". The configuration I have posted does work in JBoss 3.2.3. I am reasonably confident that I have not configured extra security realms in tomcat configuration files. I started with a vanilla Jboss 3.2.3 installation with tomcat 4 embedded, and made the changes detailed in the first post. It works. When I change java2ClassLoadingCompliance to "false" (in either the application's jboss-web.xml or in jbossweb-tomcat41.sar/META-INF/jboss-service.xml then and only then does security stop working. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3931928#3931928 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3931928 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
louisaj_work, Your assumptions are incorrect with regard to Tomcat security layer. Tomcat has a server.xml file that configures the server. With Tomcat 5.5 embeded (and so I assume Tomcat 4.1), this server.xml file is in tomcat sar. I am interested in seeing what Realm you are using. In your example distribution, I see no designation of how your Tomcat server is configured. The application policy does not 'act in the same fashion as declaring a realm'. The realm needs to be the org.jboss.web.tomcat.seucrity.JBossSecurityMgrRealm which delegates authentication/authoriztion to the security manager of your JBoss server for the application-policy you designate as your security-domain. Thus, what realm are you using? maybe you should read [/url]http://wiki.jboss.org/wiki/Wiki.jsp?page=Tomcat, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3931862#3931862 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3931862 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
How Jboss actually gets the security system up is detailed under the JBoss SX wiki: http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3931735#3931735 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3931735 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
A plain vanilla tomcat installation requires you to declare the realms and such. However, this is not necessary for an embedded tomcat installation in jboss. Instead you simply declare an in the server/< instance>/conf/login-config.xml file. You can see the application-policy I am using here: | | | | This policy acts in the same fashion as declaring a realm in tomcat. JBoss registers its security with tomcat through a valve (i think) in server/< instance>/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml This will make the application-policy take effect in tomcat in the usual way as a realm would. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3931734#3931734 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3931734 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
louisaj, I was looking at the deployment you posted at laj.ca:8080. I am unfamiliar with using the embeded Tomcat 4.1. Where do you configure the Realm used for your engine/host/context? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3931642#3931642 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3931642 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
Ok, I've read through that. I think I now have at least a tenuous grip on ClassLoaders and Repositories. I've also read through http://wiki.jboss.org/wiki/Wiki.jsp?page=ClassLoadingConfiguration. Since java2ParentDelegation is disabled by default, I tried enabling it, as well as removing that line entirely. This had no apparent effect on the behaviour of the program and jaas security. I also tried setting java2ClassLoadingCompliance to true and providing a unique name for the class repository. This allowed the security mechanism to work, but the components that required the updated librariries started using the old libraries. Next step, delving into the jboss source code to see what exactly happens when a jaas:/security/service name is looked up to see why this silently fails with java2ClassLoadingCompliance=false View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3931620#3931620 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3931620 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Connect to security service?
louisaj, Thanks for posting more detail. I really think you need to read http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossClassLoadingUseCases. This explains in great detail how your configurations change the classloading scheme. From what I can see, you probably should not have set java2ParentDelegation to false. I think this means that unless a class is present in your war, or the system classpath, your war's classloader will not find it. Hope this can help, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3929328#3929328 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3929328 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user