[JBoss-user] Jboss Security Issue - With Jetty and TomCat

[Dhiraj Ramakrishnan]

Hi all,

        I am trying to implement a secured web application in Jboss. I first tried configuring with LDAP ..
        but failed . Now i am trying for a simple authentication based on UsersRolesLoginModule.       

    a)     I have created the users.properties  and roles.properties file and kept them in the conf directory.
        My roles.properties looks like this

                    NimayaTesterGa=nShareSysAdminRole,nShareConfigAdminRole

 

        My users.properties file looks like this

                                NimayaTesterGa=itq

        My login-config.xml looks as below ,

        <application-policy name = "testSecurity">
       <!-- A simple server login module, which can be used when the number
       of users is relatively small. It uses two properties files:
       users.properties, which holds users (key) and their password (value).
       roles.properties, which holds users (key) and a comma-separated list of
       their roles (value).
       The unauthenticatedIdentity property defines the name of the principal
       that will be used when a null username and password are presented as is
       the case for an unuathenticated web client or MDB. If you want to
       allow such users to be authenticated add the property, e.g.,
       unauthenticatedIdentity="nobody"
       -->
        <authentication>
                <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
                <module-option name="usersProperties">users.properties</module-option>
                <module-option name="rolesProperties">roles.properties</module-option>
                <module-option name="hashAlgorithm">MD5</module-option>
                <module-option name="hashEncoding">base64</module-option>
                <module-option name="unauthenticatedIdentity">nobody</module-option>
                <module-option name="password-stacking">useFirstPass</module-option>
       </authentication>
    </application-policy>
        </policy>

   

    I have changed the jboss.xml and jboss-web.xml to include the security-domain.

    The application is getting deployed successfully but when i try to access the application it is giving the following exception,

            java.lang.SecurityException: Authentication exception, principal=null
             at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173)
             at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94)
             at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129)
             at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300)
             a    t org.jboss.ejb.Container.invoke(Container.java:730)
             at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:517)
             at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98)
             at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102)
             at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:77)
             at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:80)
             at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:198)
             at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76)
             at $Proxy72.create(Unknown Source)
             at com.nimaya.nshare.nengine.nengineclient.configmanager.configservlet.ConfigServlet.getnEngineConfigServerObject(ConfigServlet.java:170)
             at com.    nimaya.nshare.nengine.nengineclient.configmanager.configservlet.ConfigServlet.doGet(ConfigServlet.java:258)
             at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
             at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
             at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
             at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
             at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
             at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:527)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
             at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
             at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
             at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
             at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
             at org.a    pache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
             at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
             at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:469)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
             at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
             at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
             at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
             at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
             at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
             at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1040)
             at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1151)
             at java.lang.Thread.run(Thread.java:484)

 

    I am getting the same exception in using Jetty also .

 

    b) there is another probelm i am facing while deploying my application while deploying in Jboss with Jetty . I am using an applet in my application.

        Jetty is throwing problems with regard to the applet. After authenticating it is throwing up another screen to enter the network password. If i don't give anything even if i give the correct username and password , it is saying principal= null .

        Is it necessary that i need to have signed applet with regard to Jetty . I have tried modifying the Permisssions for the applet but am unable to get Jetty to read that.

        Strangely TOMCAT is not giving a problem with regard to the applet.

Please help me with my problems.

Awaiting your replies ,

Thank You

Dhiraj Ramakrishnan