RE: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue
At 14:08 2003-04-03 +0200, you wrote: OK, that worked. Also, that seemed to remove the errors I had with the EJB's as well. I really appreciate your help! Great! I am sorry if this seemed trivial to you and others, but the documentation did _not_ seem to be telling me what you mentioned about 'Roles'. I assumed 'Roles' ment I could call the 'Roles' what I understand as 'Roles'. Not the literal 'Roles'. Anyway, thanks very much. The trivial questions are best because I can answer them :-) Seriously I can see how the descriptoin can be misread, the jboss docs are a bit terse sometimes. Regards - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue
OK, that worked. Also, that seemed to remove the errors I had with the EJB's as well. I really appreciate your help! I am sorry if this seemed trivial to you and others, but the documentation did _not_ seem to be telling me what you mentioned about 'Roles'. I assumed 'Roles' ment I could call the 'Roles' what I understand as 'Roles'. Not the literal 'Roles'. Anyway, thanks very much. -Original Message- From: Mikael Eriksson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 1:19 PM To: Struts Users Mailing List Subject: RE: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue >I will try the in about 30 minutes. Thanks. Ok, Hope that it will work as it should >On the run-as, I do understand that this bean will run other beans "as" >this identity. My Session Facade actually have permission "unchecked" so >anyone should be able to get to my session facade currently. It is not >what I want, but it is a start at least. Then I can get the user Roles >issue resolved. I guess I misunderstood your first mail then. >I am very grateful for your help! >This JAAS has been so difficult! Yes, everything would be much easier without security :-) Regards /Mikael >-Original Message- >From: Mikael Eriksson [mailto:[EMAIL PROTECTED] >Sent: Thursday, April 03, 2003 11:17 AM >To: Struts Users Mailing List >Cc: Knutson, Mick >Subject: Re: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue > > >Hello! > >Try changing this line in login-config.xml > > SELECT user_roles, >user_group FROM USER_ROLES WHERE USERNAME=? > >To > > SELECT user_roles, 'Roles' FROM >USER_ROLES WHERE USERNAME=? > >or change the value of user_group in all rows to "Roles". > >My understanding of the second parameter that the rolesquery should return >is that >you can somhow categorize users in diffent ways, but that the default >user/role handling >should return "Roles". > > >It also sounds like you might have misunderstood how the "run-as" identity >is used. >That identity does not affect the callers of a bean or who can call it, it >says that >when the bean tries to access other beans it will do so with the run-as >identity. >This is so you can define beans that only can be called by "internal" >identities so >that noone can call them directly from the outside. > >Regards >/Mikael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue
I will try the in about 30 minutes. Thanks. Ok, Hope that it will work as it should On the run-as, I do understand that this bean will run other beans "as" this identity. My Session Facade actually have permission "unchecked" so anyone should be able to get to my session facade currently. It is not what I want, but it is a start at least. Then I can get the user Roles issue resolved. I guess I misunderstood your first mail then. I am very grateful for your help! This JAAS has been so difficult! Yes, everything would be much easier without security :-) Regards /Mikael -Original Message- From: Mikael Eriksson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 11:17 AM To: Struts Users Mailing List Cc: Knutson, Mick Subject: Re: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue Hello! Try changing this line in login-config.xml SELECT user_roles, user_group FROM USER_ROLES WHERE USERNAME=? To SELECT user_roles, 'Roles' FROM USER_ROLES WHERE USERNAME=? or change the value of user_group in all rows to "Roles". My understanding of the second parameter that the rolesquery should return is that you can somhow categorize users in diffent ways, but that the default user/role handling should return "Roles". It also sounds like you might have misunderstood how the "run-as" identity is used. That identity does not affect the callers of a bean or who can call it, it says that when the bean tries to access other beans it will do so with the run-as identity. This is so you can define beans that only can be called by "internal" identities so that noone can call them directly from the outside. Regards /Mikael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue
I will try the in about 30 minutes. Thanks. On the run-as, I do understand that this bean will run other beans "as" this identity. My Session Facade actually have permission "unchecked" so anyone should be able to get to my session facade currently. It is not what I want, but it is a start at least. Then I can get the user Roles issue resolved. I am very grateful for your help! This JAAS has been so difficult! -Original Message- From: Mikael Eriksson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 11:17 AM To: Struts Users Mailing List Cc: Knutson, Mick Subject: Re: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue Hello! Try changing this line in login-config.xml SELECT user_roles, user_group FROM USER_ROLES WHERE USERNAME=? To SELECT user_roles, 'Roles' FROM USER_ROLES WHERE USERNAME=? or change the value of user_group in all rows to "Roles". My understanding of the second parameter that the rolesquery should return is that you can somhow categorize users in diffent ways, but that the default user/role handling should return "Roles". It also sounds like you might have misunderstood how the "run-as" identity is used. That identity does not affect the callers of a bean or who can call it, it says that when the bean tries to access other beans it will do so with the run-as identity. This is so you can define beans that only can be called by "internal" identities so that noone can call them directly from the outside. Regards /Mikael At 09:51 2003-04-03 +0200, [EMAIL PROTECTED] wrote: >I appologize for this Off-Topic message, but I desperatly need help! > >I have been fighting with the JBoss DatabaseServerLoginModule for almost 2 >months now without success. >I have tried an infinite number of combinations to try to get to a >_SIMPLE_ solution as outlined by the JBoss manual, the JAAS article in >JavaWorld, and hundreds of documents and examples from all over the internet. > >Well, I just don't have anymore time to waste as my deadline is now 48 >hours away! >I desperately need help: > >1. Find someone to offer some help to resolve this by Friday. >2. Direct me somewhere to find the help I need >3. Tell who would be willing to have me hire them for the help I need. > >Here is my current situation: >I am using JBoss 3.0.6 with Catalina on NT 4.0, MySql, XDoclet 1.2, Struts >1.1rc1, JDK 1.4. >I create a beans.jar, common.jar, app.war and package everything into >app.ear. The only things that are not in my EAR are the mysql-service.xml, >auth.conf, login-config.xml, and server.policy which reside in the >$JBOSS_HOME\server\default\conf and the $JBOSS_HOME\server\default\deploy >directories. >I also attached all the above file in a zip file here in this message. > >I have the DatabaseServerLoginModule configured and it seems to be >operating, but not correctly. >When I try to access a page under /private/* I get forwarded to /logon.jsp >correctly. > >My MySql Database has 2 tables: >TABLE_USER: columns: username, password >TABLE_USER_ROLES: columns: username, user_roles, user_group > >TABLE_USER: data: "mick", "mickPassword" >TABLE_USER_ROLES: data1: "mick", "user", "user" >TABLE_USER_ROLES: data2: "mick", "admin", "admin" > >I then type in j_username: "mick", j_password: "mickPassword" and click ENTER. >I seem to be logged in successfully as the console shows that I have 3 >Principals: "mick", "user", "admin" and when I attempt to navigate to >pages in the private area that do not require EJB access, I continue to >see that my Principal is kept successfully through each page. So I do >_not_ currently have the Principal=null issue. >I do however have a UserPreferenceFilter that I check if the user is in >role "user", "admin", or "guest" and all 3 come up as "NO". > >Also, when I attempt to access a page that goes to my EJB layer, I get a >Security violation error that states user must belong to [] role. >But I have added a "run-as = InternalUser" for all my EJB's so far. But >that does not seem to work. When I remove the "run-as=InternalUser", I get >a Security Violation that states the user must belong to the role I specified. > >So it seems that my main 2 issues are getting the Roles to stick to the >user when they login, and the EJB's to be able to use the user Roles, or >the "run-as=InternalUser" > > > >- >Thank You >Mick Knutson >Sr. Designer - Project Trust >aUBS AG, Financial - Zürich >Office: +41 (0)1/234.42.75 &g
Re: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue
Hello! Try changing this line in login-config.xml SELECT user_roles, user_group FROM USER_ROLES WHERE USERNAME=? To SELECT user_roles, 'Roles' FROM USER_ROLES WHERE USERNAME=? or change the value of user_group in all rows to "Roles". My understanding of the second parameter that the rolesquery should return is that you can somhow categorize users in diffent ways, but that the default user/role handling should return "Roles". It also sounds like you might have misunderstood how the "run-as" identity is used. That identity does not affect the callers of a bean or who can call it, it says that when the bean tries to access other beans it will do so with the run-as identity. This is so you can define beans that only can be called by "internal" identities so that noone can call them directly from the outside. Regards /Mikael At 09:51 2003-04-03 +0200, [EMAIL PROTECTED] wrote: I appologize for this Off-Topic message, but I desperatly need help! I have been fighting with the JBoss DatabaseServerLoginModule for almost 2 months now without success. I have tried an infinite number of combinations to try to get to a _SIMPLE_ solution as outlined by the JBoss manual, the JAAS article in JavaWorld, and hundreds of documents and examples from all over the internet. Well, I just don't have anymore time to waste as my deadline is now 48 hours away! I desperately need help: 1. Find someone to offer some help to resolve this by Friday. 2. Direct me somewhere to find the help I need 3. Tell who would be willing to have me hire them for the help I need. Here is my current situation: I am using JBoss 3.0.6 with Catalina on NT 4.0, MySql, XDoclet 1.2, Struts 1.1rc1, JDK 1.4. I create a beans.jar, common.jar, app.war and package everything into app.ear. The only things that are not in my EAR are the mysql-service.xml, auth.conf, login-config.xml, and server.policy which reside in the $JBOSS_HOME\server\default\conf and the $JBOSS_HOME\server\default\deploy directories. I also attached all the above file in a zip file here in this message. I have the DatabaseServerLoginModule configured and it seems to be operating, but not correctly. When I try to access a page under /private/* I get forwarded to /logon.jsp correctly. My MySql Database has 2 tables: TABLE_USER: columns: username, password TABLE_USER_ROLES: columns: username, user_roles, user_group TABLE_USER: data: "mick", "mickPassword" TABLE_USER_ROLES: data1: "mick", "user", "user" TABLE_USER_ROLES: data2: "mick", "admin", "admin" I then type in j_username: "mick", j_password: "mickPassword" and click ENTER. I seem to be logged in successfully as the console shows that I have 3 Principals: "mick", "user", "admin" and when I attempt to navigate to pages in the private area that do not require EJB access, I continue to see that my Principal is kept successfully through each page. So I do _not_ currently have the Principal=null issue. I do however have a UserPreferenceFilter that I check if the user is in role "user", "admin", or "guest" and all 3 come up as "NO". Also, when I attempt to access a page that goes to my EJB layer, I get a Security violation error that states user must belong to [] role. But I have added a "run-as = InternalUser" for all my EJB's so far. But that does not seem to work. When I remove the "run-as=InternalUser", I get a Security Violation that states the user must belong to the role I specified. So it seems that my main 2 issues are getting the Roles to stick to the user when they login, and the EJB's to be able to use the user Roles, or the "run-as=InternalUser" - Thank You Mick Knutson Sr. Designer - Project Trust aUBS AG, Financial - Zürich Office: +41 (0)1/234.42.75 Internal: 48194 Mobile: 079.726.14.26 - Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---
[OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue
I appologize for this Off-Topic message, but I desperatly need help! I have been fighting with the JBoss DatabaseServerLoginModule for almost 2 months now without success. I have tried an infinite number of combinations to try to get to a _SIMPLE_ solution as outlined by the JBoss manual, the JAAS article in JavaWorld, and hundreds of documents and examples from all over the internet. Well, I just don't have anymore time to waste as my deadline is now 48 hours away! I desperately need help: 1. Find someone to offer some help to resolve this by Friday. 2. Direct me somewhere to find the help I need 3. Tell who would be willing to have me hire them for the help I need. Here is my current situation: I am using JBoss 3.0.6 with Catalina on NT 4.0, MySql, XDoclet 1.2, Struts 1.1rc1, JDK 1.4. I create a beans.jar, common.jar, app.war and package everything into app.ear. The only things that are not in my EAR are the mysql-service.xml, auth.conf, login-config.xml, and server.policy which reside in the $JBOSS_HOME\server\default\conf and the $JBOSS_HOME\server\default\deploy directories. I also attached all the above file in a zip file here in this message. I have the DatabaseServerLoginModule configured and it seems to be operating, but not correctly. When I try to access a page under /private/* I get forwarded to /logon.jsp correctly. My MySql Database has 2 tables: TABLE_USER: columns: username, password TABLE_USER_ROLES: columns: username, user_roles, user_group TABLE_USER: data: "mick", "mickPassword" TABLE_USER_ROLES: data1: "mick", "user", "user" TABLE_USER_ROLES: data2: "mick", "admin", "admin" I then type in j_username: "mick", j_password: "mickPassword" and click ENTER. I seem to be logged in successfully as the console shows that I have 3 Principals: "mick", "user", "admin" and when I attempt to navigate to pages in the private area that do not require EJB access, I continue to see that my Principal is kept successfully through each page. So I do _not_ currently have the Principal=null issue. I do however have a UserPreferenceFilter that I check if the user is in role "user", "admin", or "guest" and all 3 come up as "NO". Also, when I attempt to access a page that goes to my EJB layer, I get a Security violation error that states user must belong to [] role. But I have added a "run-as = InternalUser" for all my EJB's so far. But that does not seem to work. When I remove the "run-as=InternalUser", I get a Security Violation that states the user must belong to the role I specified. So it seems that my main 2 issues are getting the Roles to stick to the user when they login, and the EJB's to be able to use the user Roles, or the "run-as=InternalUser" - Thank You Mick Knutson Sr. Designer - Project Trust aUBS AG, Financial - Zürich Office: +41 (0)1/234.42.75 Internal: 48194 Mobile: 079.726.14.26 - YourSOS-Security1.ZIP Description: YourSOS-Security1.ZIP Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]