<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
        <table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                <tbody>
                        <tr>
                                <td>
                                        <table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                                                <tbody>
                                                        <tr>
                                                                <td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
                                                                        <h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
                                                                        <!-- To have a header image/logo replace the name below with your img tag -->
                                                                        <!-- Email clients will render the images when the message is read so any image -->
                                                                        <!-- must be made available on a public server, so that all recipients can load the image. -->
                                                                        <a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
                                                                </td>
                                                        </tr>
                                                        <tr>
                                                                <td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
java.lang.SecurityException: Unauthenticated caller:null when encrypting datasource passwords in AS 5.0.1GA
</h3>
<span style="margin-bottom: 10px;">
created by <a href="https://community.jboss.org/people/mattdarwin">Matt Darwin</a> in <i>Datasource Configuration</i> - <a href="https://community.jboss.org/message/723433#723433">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>I'm trying to encrypt my database password using a JBOSS security domain.  I've followed the instructions in the documentation and it all seems pretty simple.  I'm using jboss 5.0.1GA.  It was working fine before I tried to set up password encryption.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The datasource is defined in oracle-ds.xml as follows:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><code><span class="tag"><datasources></span><span class="pln"><br/>  </span><span class="tag"><local-tx-datasource></span><span class="pln"><br/>    </span><span class="tag"><jndi-name></span><span class="pln">OracleDS</span><span class="tag"></jndi-name></span><span class="pln"><br/>    </span><span class="tag"><connection-url></span><span class="pln">jdbc:oracle:thin:@dbhost:1521:db</span><span class="tag"></connection-url></span><span class="pln"><br/>    </span><span class="tag"><driver-class></span><span class="pln">oracle.jdbc.driver.OracleDriver</span><span class="tag"></driver-class></span><span class="pln"><br/>    </span><span class="com"><!-- app works fine when you use unencrypted password like this<br/>    <user-name>username</user-name><br/>    <password>unencrypted_pass</password><br/>    --></span><span class="pln"><br/>    </span><span class="com"><!-- Use the security domain defined in conf/login-config.xml for username and encrypted password--></span><span class="pln"><br/>    </span><span class="tag"><security-domain></span><span class="pln">Encrypt-my-Password</span><span class="tag"></security-domain></span><span class="pln"><br/>....etc</span></code><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p></p><p>The login-config.xml file contains this entry:</p><pre class="default prettyprint"><code><span class="pln">   </span><span class="tag"><application-policy</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"Encrypt-my-Password"</span><span class="tag">></span><span class="pln"><br/>                </span><span class="tag"><authentication></span><span class="pln"><br/>                    </span><span class="tag"><login-module</span><span class="pln"><br/>                            </span><span class="atn">code</span><span class="pun">=</span><span class="atv">"</span></code><span style="font-family: courier new,courier;">org.jboss.resource.security.SecureIdentityLoginModule</span><code><span class="atv">"</span><span class="pln"><br/>                            </span><span class="atn">flag</span><span class="pun">=</span><span class="atv">"required"</span><span class="tag">></span><span class="pln"><br/>                            </span><span class="tag"><module-option</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"username"</span><span class="tag">></span><span class="pln">databaseUsername</span><span class="tag"></module-option></span><span class="pln"><br/>                            </span><span class="tag"><module-option</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"password"</span><span class="tag">></span><span class="pln">232487h4873hf4</span><span class="tag"></module-option></span><span class="pln"><br/>                            </span><span class="tag"><module-option</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"managedConnectionFactoryName"</span><span class="tag">></span><span class="pln">jboss.jca:service=LocalTxCM,name=OracleDS</span><span class="tag"></module-option></span><span class="pln"><br/>                    </span><span class="tag"></login-module></span><span class="pln"><br/>            </span><span class="tag"></authentication></span><span class="pln"><br/>    </span><span class="tag"></application-policy></span><span class="pln"><br/></span></code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>As soon as I started using this config the application throws an exception as follows when you try to access the datasource:</p><pre class="jive-pre">java.lang.SecurityException: Unauthenticated caller:null<br/>    org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)<br/>    org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)<br/>    org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)<br/>    org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)<br/>    org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)<br/>    org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:92)<br/>    org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:111)<br/>    org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101)<br/>    org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325)<br/>    org.hibernate.cfg.AnnotationConfiguration.buildSessionFactory(AnnotationConfiguration.java:867)<br/>    org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:669)<br/>    org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)<br/>    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:52)<br/>    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:34)<br/>    com.mycompany.er.batch.data.DbHelper.createEntityManager(DbHelper.java:30)<br/>    com.mycompany.er.batch.data.DbHelper.createAndBegin(DbHelper.java:49)<br/>    com.mycompany.er.basman.HibernateTransactionFilter.doFilter(HibernateTransactionFilter.java:53)<br/>    org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)<br/></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><table><tbody><tr><td class="votecell" style=";">  </td><td class="postcell" style=";"><p class="post-text" style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I'm trying to encrypt my database password using a JBOSS security domain.</p><p>The datasource is defined in oracle-ds.xml as follows:</p><pre class="default prettyprint"><code><span class="tag"><datasources></span><span class="pln"><br/>  </span><span class="tag"><local-tx-datasource></span><span class="pln"><br/>    </span><span class="tag"><jndi-name></span><span class="pln">OracleDS</span><span class="tag"></jndi-name></span><span class="pln"><br/>    </span><span class="tag"><connection-url></span><span class="pln">jdbc:oracle:thin:@dbhost:1521:db</span><span class="tag"></connection-url></span><span class="pln"><br/>    </span><span class="tag"><driver-class></span><span class="pln">oracle.jdbc.driver.OracleDriver</span><span class="tag"></driver-class></span><span class="pln"><br/>    </span><span class="com"><!-- app works fine when you use unencrypted password like this<br/>    <user-name>username</user-name><br/>    <password>unencrypted_pass</password><br/>    --></span><span class="pln"><br/>    </span><span class="com"><!-- Use the security domain defined in conf/login-config.xml for username and encrypted password--></span><span class="pln"><br/>    </span><span class="tag"><security-domain></span><span class="pln">Encrypt-my-Password</span><span class="tag"></security-domain></span><span class="pln"><br/>....etc<br/></span></code></pre><p>The login-config.xml file contains this entry:</p><pre class="default prettyprint"><code><span class="pln">   </span><span class="tag"><application-policy</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"Encrypt-my-Password"</span><span class="tag">></span><span class="pln"><br/>                </span><span class="tag"><authentication></span><span class="pln"><br/>                    </span><span class="tag"><login-module</span><span class="pln"><br/>                            </span><span class="atn">code</span><span class="pun">=</span><span class="atv">"com.mycompany.global.er.util.ErSecureIdentityLoginModule"</span><span class="pln"><br/>                            </span><span class="atn">flag</span><span class="pun">=</span><span class="atv">"required"</span><span class="tag">></span><span class="pln"><br/>                            </span><span class="tag"><module-option</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"username"</span><span class="tag">></span><span class="pln">databaseUsername</span><span class="tag"></module-option></span><span class="pln"><br/>                            </span><span class="tag"><module-option</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"password"</span><span class="tag">></span><span class="pln">232487h4873hf4</span><span class="tag"></module-option></span><span class="pln"><br/>                            </span><span class="tag"><module-option</span><span class="pln"> </span><span class="atn">name</span><span class="pun">=</span><span class="atv">"managedConnectionFactoryName"</span><span class="tag">></span><span class="pln">jboss.jca:service=LocalTxCM,name=OracleDS</span><span class="tag"></module-option></span><span class="pln"><br/>                    </span><span class="tag"></login-module></span><span class="pln"><br/>            </span><span class="tag"></authentication></span><span class="pln"><br/>    </span><span class="tag"></application-policy></span><span class="pln"><br/></span></code></pre><p>NB the ErSecureIdentityLoginModule is a class already used to encrypt / decrypt DB passwords in another application, where it works fine.</p><p>As soon as I started using this config the application throws an exception as follows when you try to access the datasource:</p><pre class="jive-pre">java.lang.SecurityException: Unauthenticated caller:null<br/>    org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)<br/>    org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)<br/>    org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)<br/>    org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)<br/>    org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)<br/>    org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:92)<br/>    org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:111)<br/>    org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101)<br/>    org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325)<br/>    org.hibernate.cfg.AnnotationConfiguration.buildSessionFactory(AnnotationConfiguration.java:867)<br/>    org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:669)<br/>    org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)<br/>    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:52)<br/>    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:34)<br/>    com.mycompany.er.batch.data.DbHelper.createEntityManager(DbHelper.java:30)<br/>    com.mycompany.er.batch.data.DbHelper.createAndBegin(DbHelper.java:49)<br/>    com.mycompany.er.basman.HibernateTransactionFilter.doFilter(HibernateTransactionFilter.java:53)<br/>    org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)<br/></pre><p>I downloaded the source code for jboss 5.0.1GA and debugged with TRACE enabled.  There is an interesting stack trace produced:</p><pre class="jive-pre">2012-03-12 18-13-40:Login failure<br/>javax.security.auth.login.LoginException: java.lang.NullPointerException<br/>        at org.jboss.resource.security.SubjectActions$AddPrincipalsAction.run(SubjectActions.java:101)<br/>        at java.security.AccessController.doPrivileged(Native Method)<br/>        at org.jboss.resource.security.SubjectActions.addPrincipals(SubjectActions.java:139)<br/>        at org.jboss.resource.security.ConfiguredIdentityLoginModule.login(ConfiguredIdentityLoginModule.java:98)<br/>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br/>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)<br/>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)<br/>        at java.lang.reflect.Method.invoke(Method.java:597)<br/>        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)<br/>        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)<br/>        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)<br/>        at java.security.AccessController.doPrivileged(Native Method)<br/>        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)<br/>        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)<br/>        at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)<br/>        at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)<br/>        at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)<br/>        at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)<br/>        at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:90)<br/><br/></pre><p>The NullPointerException refers to this line of code in org.jboss.resource.security.SubjectActions:</p><pre class="jive-pre"><br/>      static class AddPrincipalsAction implements PrivilegedAction<br/>       {<br/>          Subject subject;<br/>          Principal p;<br/>          AddPrincipalsAction(Subject subject, Principal p)<br/>          {<br/>             this.subject = subject;<br/>             this.p = p;<br/>          }<br/>          public Object run()<br/>          {<br/>             subject.getPrincipals().add(p);<br/>             return null;<br/>          }<br/>       }<br/><br/></pre><p>However this doesn't help much, and I can't understand what I'm doing wrong. Help!</p></td></tr></tbody></table></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="https://community.jboss.org/message/723433#723433">going to Community</a></p>
        <p style="margin: 0;">Start a new discussion in Datasource Configuration at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2077">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>