[jboss-user] [Security & JAAS/JBoss] - Jboss 5 Strange Login Issues with WebAuthenticate

yoblin do-not-reply at jboss.com
Tue Dec 2 17:06:11 EST 2008 

I'm porting a login system from Jboss 4 to Jboss 5 and having a strange issue. When the login credentials are wrong, everything works fine (no exceptions, login fails), but when the login credentials are correct the user is authenticated fine but then an exception is thrown after the user is authenticated:


  | java.lang.IllegalStateException: Application Policy is null for the security domain:java:jaas/portal-rsa
  | 	at org.jboss.security.plugins.mapping.JBossMappingManager.getMappingContext(JBossMappingManager.java:74)
  | 	at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:391)
  | 	at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:363)
  | 	at org.jboss.security.plugins.JBossAuthorizationManager.getUserRoles(JBossAuthorizationManager.java:215)
  | 	at org.jboss.security.plugins.auth.JaasSecurityManagerBase.getUserRoles(JaasSecurityManagerBase.java:457)
  | 	at org.jboss.security.plugins.JaasSecurityManager.getUserRoles(JaasSecurityManager.java:200)
  | 	at org.jboss.web.tomcat.security.JBossWebRealm.getCachingPrincipal(JBossWebRealm.java:662)
  | 	at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:409)
  | 	at org.jboss.web.tomcat.security.login.WebAuthentication.login(WebAuthentication.java:93)
  | 	at com.prod.portal.mvc.servlet.AuthenticateServlet.doPost(AuthenticateServlet.java:86)
  | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
  | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
  | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  | 	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
  | 	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
  | 	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
  | 	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
  | 	at com.prod.portal.mvc.servlet.PortalLoginServlet.doGet(PortalLoginServlet.java:18)
  | 	at com.prod.portal.mvc.servlet.PortalLoginServlet.doPost(PortalLoginServlet.java:23)
  | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
  | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
  | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  | 

I don't see how the application policy is possibly null, because the whole thing works great when the credentials are wrong, and I can see my login extension getting called.

Below I have the relevant code and config files.



---------------


jboss-web.xml:


  | <jboss-web>
  |   <context-root>prod</context-root>
  |   <security-domain>java:jaas/portal</security-domain>
  | </jboss-web>
  | 

web.xml:


  | 
  | <!-- snip -->
  |     
  | <servlet>
  | 	<servlet-name>AuthenticateServlet</servlet-name>
  | 	<servlet-class>
  | 		com.prod.portal.mvc.servlet.AuthenticateServlet
  | 	</servlet-class>
  | </servlet>
  | 	
  | <servlet-mapping>
  | 	<servlet-name>login-servlet</servlet-name>
  |         <url-pattern>/auth/servlet/login</url-pattern>
  | </servlet-mapping>
  |     
  | <servlet-mapping>
  | 	<servlet-name>AuthenticateServlet</servlet-name>
  | 	<url-pattern>/auth/servlet/AuthenticateServlet</url-pattern>
  | </servlet-mapping>
  | 
  | <session-config>
  |       <session-timeout>30</session-timeout> 
  | </session-config>
  | 	
  | <security-constraint>
  | 	<web-resource-collection>
  | 		<web-resource-name>MVC Application</web-resource-name>
  | 		<url-pattern>/secure/*</url-pattern>
  | 		<url-pattern>/flex/*</url-pattern>
  | 		<http-method>POST</http-method>
  | 		<http-method>GET</http-method>
  | 	</web-resource-collection>
  | 	<auth-constraint>
  | 		<description>
  | 			Only allow Authenticated_users role
  | 		</description>
  | 		<role-name>authenticatedUser</role-name>
  | 	</auth-constraint>
  | </security-constraint>
  | 
  | <security-role>
  | 	<role-name>authenticatedUser</role-name>
  | </security-role>
  | 
  | <login-config>
  | 	<auth-method>FORM</auth-method>
  | 	<form-login-config>
  | 		<form-login-page>/public/login.jsp</form-login-page>
  | 		<form-error-page>/public/login.jsp</form-error-page>
  | 	</form-login-config>
  | </login-config>
  | 
  | <welcome-file-list>
  | 	<welcome-file>auth/servlet/login</welcome-file>
  | </welcome-file-list>
  | 
  | </web-app>
  | 
  | 

LDAP Extension Module:


  | 
  |     @Override
  |     protected void rolesSearch(final InitialLdapContext ctx, final SearchControls constraints, final String user, final String userDN,
  |             final int recursionMax, final int nesting) throws NamingException {
  | 
  |     	_log.debug("in rolesSearch in LDAP extension.");
  |     	
  |         Group[] groups;
  |         try {
  |             groups = getRoleSets();
  |             final SimpleGroup sg = (SimpleGroup) groups[0];
  |             sg.addMember(new SimplePrincipal("authenticatedUser"));
  |         } catch (final LoginException e) {
  |             _log.error("Error");
  |         }
  |     }
  | }
  | 

login-config.xml:


  | <policy>
  |     <application-policy name="portal">
  |         <authentication>
  |             <login-module code="com.prod.portal.security.loginmodule.ProdLdapExtLoginModule" flag="required">
  | 		<!-- MODULE OPTIONS SNIPPED -->
  |             </login-module>
  |         </authentication>
  |     </application-policy>
  | </policy>
  | 

Authenticate Servlet:


  |     @Override
  |     public void doPost(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
  |         
  |         String view = null;
  |         
  |         final String uid = request.getParameter("username");
  |         final String password = request.getParameter("password");
  |         
  |         if (uid == null && password == null && token == null) {
  | 	    view = "/public/login.jsp";
  |         } else {
  |             
  |             WebAuthentication pwl = new WebAuthentication();
  |             
  |             pwl.login(uid, password);
  |                    
  |             if(request.getUserPrincipal() == null || !(request.isUserInRole("authenticatedUser"))) {
  |                 view = "/public/login.jsp";
  |             } else {
  |                 view = "/secure/main.html";
  |                 
  |                 if (! (onUserLogon(request.getSession(), request))) {
  |                     // Error logging in
  |                     view = "/public/login.jsp";
  |                 }
  |             }
  |         }
  | 
  |         final RequestDispatcher rd = request.getSession().getServletContext().getRequestDispatcher(view);
  |         rd.forward(request, response);       
  |     }
  | 


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4193885#4193885

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4193885

More information about the jboss-user mailing list