[PicketBox Development] - Re: LoginModule defined with cached=true, but called between web and ejb container
3:10 a.m.
Patrick Garner [https://community.jboss.org/people/pgarner] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/773387#773387
--------------------------------------------------------------
Immediately after updating an application user's password in the database, JBoss
throws javax.ejb.EJBAccessException: JBAS013323: Invalid User. It appears that JBoss
security attempts to reauthenticate the principal with every method invocation between web
and ejb container, which fails because the principal's password has become stale. I
was surprised to see the UsernamePasswordLoginModule trying to login again, with the
resulting "Password invalid/Password required" error. I'm using
7.2.0.Alpha-1-SNAPSHOT. Shouldn't this problem have been resolved (
https://issues.jboss.org/browse/AS7-3498 AS7-3498)?
00:25:35,521 ERROR [org.jboss.security] (http-/127.0.0.1:8443-2)
PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070:
Password invalid/Password required
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
[picketbox-4.0.13.Final.jar:4.0.13.Final]
at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) [:1.7.0_07]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_07]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
[rt.jar:1.7.0_07]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
[rt.jar:1.7.0_07]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:354)
[jboss-as-security-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:292)
[jboss-as-security-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:45)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:74)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:42)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at com.patrac.service.LoginHistoryService$$$view94.create(Unknown Source)
[Patrac-ejb.jar:]
at
com.patrac.controller.SessionManager.createLoginHistoryRecord(SessionManager.java:163)
[classes:]
at
com.patrac.controller.SessionManager.endOfSessionHouseKeeping(SessionManager.java:130)
[classes:]
at com.patrac.controller.SessionManager.logout(SessionManager.java:87) [classes:]
at com.patrac.controller.SessionManager.changePassword(SessionManager.java:236)
[classes:]
at
com.patrac.controller.SessionManager$Proxy$_$$_WeldClientProxy.changePassword(SessionManager$Proxy$_$$_WeldClientProxy.java)
[classes:]
at
com.patrac.controller.backingbean.ChangePasswordBean.updateUserPasswordInSession(ChangePasswordBean.java:44)
[classes:]
at
com.patrac.controller.statemachine.effect.ChangePasswordEffect.performAction(ChangePasswordEffect.java:21)
[Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.effect.ChangePasswordEffect.performAction(ChangePasswordEffect.java:10)
[Patrac-ejb.jar:]
at com.patrac.controller.statemachine.transition.Transition.fire(Transition.java:60)
[Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.transition.GoToWorkflowTransition.fire(GoToWorkflowTransition.java:49)
[Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.workflow.ChangePasswordWorkflow$1.evaluate(ChangePasswordWorkflow.java:62)
[Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.workflow.ChangePasswordWorkflow$1.evaluate(ChangePasswordWorkflow.java:56)
[Patrac-ejb.jar:]
at com.patrac.controller.statemachine.event.Event.trigger(Event.java:85)
[Patrac-ejb.jar:]
at com.patrac.controller.backingbean.BackingBean.dispatch(BackingBean.java:68)
[classes:]
at
com.patrac.controller.backingbean.ChangePasswordBean$Proxy$_$$_WeldClientProxy.dispatch(ChangePasswordBean$Proxy$_$$_WeldClientProxy.java)
[classes:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_07]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_07]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_07]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07]
at org.apache.el.parser.AstValue.invoke(AstValue.java:264)
[jbossweb-7.0.17.Final.jar:]
at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:278)
[jbossweb-7.0.17.Final.jar:]
at
org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:39)
[weld-core-1.1.9.Final.jar:2012-08-06 19:12]
at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
[weld-core-1.1.9.Final.jar:2012-08-06 19:12]
at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at
javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at
com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:101)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at javax.faces.component.UICommand.broadcast(UICommand.java:315)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:794)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1259)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at
com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:593)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
[jbossweb-7.0.17.Final.jar:]
at
org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62)
[weld-core-1.1.9.Final.jar:2012-08-06 19:12]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
[jbossweb-7.0.17.Final.jar:]
at com.patrac.filter.NoCacheFilter.doFilter(NoCacheFilter.java:46) [classes:]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489)
[jbossweb-7.0.17.Final.jar:]
at
org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
[jboss-as-jpa-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
[jboss-as-jpa-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:165)
[jboss-as-web-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372)
[jbossweb-7.0.17.Final.jar:]
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:897)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:634)
[jbossweb-7.0.17.Final.jar:]
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2039)
[jbossweb-7.0.17.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_07]
00:25:35,566 ERROR [org.jboss.security] (http-/127.0.0.1:8443-2) PBOX000206: Login
failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password
invalid/Password required
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:283)
[picketbox-4.0.13.Final.jar:4.0.13.Final]
at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) [:1.7.0_07]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_07]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
[rt.jar:1.7.0_07]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
[rt.jar:1.7.0_07]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
[rt.jar:1.7.0_07]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
[picketbox-infinispan-4.0.13.Final.jar:4.0.13.Final]
at
org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:354)
[jboss-as-security-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:292)
[jboss-as-security-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:45)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:74)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:42)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ejb3.component.stateful.StatefulComponentIdInterceptor.processInvocation(StatefulComponentIdInterceptor.java:52)
[jboss-as-ejb3-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
[jboss-as-ee-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
com.patrac.controller.statemachine.screen.ChangePasswordScreen$$$view77.findLeafStateAndExitUpward(Unknown
Source) [Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.transition.Transition.exitSource(Transition.java:90)
[Patrac-ejb.jar:]
at com.patrac.controller.statemachine.transition.Transition.fire(Transition.java:62)
[Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.transition.GoToWorkflowTransition.fire(GoToWorkflowTransition.java:49)
[Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.workflow.ChangePasswordWorkflow$1.evaluate(ChangePasswordWorkflow.java:62)
[Patrac-ejb.jar:]
at
com.patrac.controller.statemachine.workflow.ChangePasswordWorkflow$1.evaluate(ChangePasswordWorkflow.java:56)
[Patrac-ejb.jar:]
at com.patrac.controller.statemachine.event.Event.trigger(Event.java:85)
[Patrac-ejb.jar:]
at com.patrac.controller.backingbean.BackingBean.dispatch(BackingBean.java:68)
[classes:]
at
com.patrac.controller.backingbean.ChangePasswordBean$Proxy$_$$_WeldClientProxy.dispatch(ChangePasswordBean$Proxy$_$$_WeldClientProxy.java)
[classes:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_07]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_07]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_07]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07]
at org.apache.el.parser.AstValue.invoke(AstValue.java:264)
[jbossweb-7.0.17.Final.jar:]
at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:278)
[jbossweb-7.0.17.Final.jar:]
at
org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:39)
[weld-core-1.1.9.Final.jar:2012-08-06 19:12]
at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
[weld-core-1.1.9.Final.jar:2012-08-06 19:12]
at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at
javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at
com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:101)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at javax.faces.component.UICommand.broadcast(UICommand.java:315)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:794)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1259)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at
com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
[jsf-impl-2.1.13-jbossorg-1.jar:]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:593)
[jboss-jsf-api_2.1_spec-2.0.6.Final.jar:2.0.6.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
[jbossweb-7.0.17.Final.jar:]
at
org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62)
[weld-core-1.1.9.Final.jar:2012-08-06 19:12]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
[jbossweb-7.0.17.Final.jar:]
at com.patrac.filter.NoCacheFilter.doFilter(NoCacheFilter.java:46) [classes:]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489)
[jbossweb-7.0.17.Final.jar:]
at
org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
[jboss-as-jpa-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
[jboss-as-jpa-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:165)
[jboss-as-web-7.2.0.Alpha1-SNAPSHOT.jar:7.2.0.Alpha1-SNAPSHOT]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372)
[jbossweb-7.0.17.Final.jar:]
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:897)
[jbossweb-7.0.17.Final.jar:]
at
org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:634)
[jbossweb-7.0.17.Final.jar:]
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2039)
[jbossweb-7.0.17.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_07]
| | <subsystem xmlns="urn:jboss:domain:security:1.2"> |
| | <security-domains> |
| | <security-domain name="PatracSecurityDomain"
cache-type="default"> |
| | <authentication> |
| | <login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required"> |
| | <module-option name="dsJndiName"
value="java:/postgresdb"/> |
| | <module-option name="principalsQuery"
value="SELECT userpassword FROM applicationuser WHERE email=?"/> |
| | <module-option name="rolesQuery"
value="SELECT r.name, 'Roles' FROM USER_ROLE ur JOIN APPLICATIONUSER u ON
ur.userid=u.id JOIN ROLE r ON ur.roleid=r.id where u.email=?"/> |
| | </login-module> |
| | </authentication> |
| | </security-domain> |
| | <security-domain name="jboss-web-policy"
cache-type="default"> |
| | <authorization> |
| | <policy-module code="Delegating"
flag="required"/> |
| | </authorization> |
| | </security-domain> |
| | <security-domain name="jboss-ejb-policy"
cache-type="default"> |
| | <authorization> |
| | <policy-module code="Delegating"
flag="required"/> |
| | </authorization> |
| | </security-domain> |
| | </security-domains> |
| | </subsystem> |
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/773387#773387]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
2:47 p.m.
Stefan Guilhen [https://community.jboss.org/people/sguilhen] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/775204#775204
--------------------------------------------------------------
This shouldn't be happening. I'll setup a sample app here to see if I can
reproduce what you're seeing.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/775204#775204]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
3:53 p.m.
Patrick Garner [https://community.jboss.org/people/pgarner] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/775210#775210
--------------------------------------------------------------
I think the problem is that SessionManager#logout (which programmatically logs out the
user e.g. HttpServletRequest#logout)) is invoked before invoking
LoginHistoryService#create. SessionManager is a CDI bean and LoginHistoryService is
SLSB. I think the "Invalid User" is a result of logout removing the principal
prior to invoking create on the SLSB.
I'm looking into it, but want to let you know now what I think the problem is before
you waste time on this.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/775210#775210]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4:02 p.m.
Patrick Garner [https://community.jboss.org/people/pgarner] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/775212#775212
--------------------------------------------------------------
Sure enough, invoking LoginHistoryService#create before HttpServletRequest#logout solved
the problem. Sorry! I should have caught that! My fault for looking at code through
blurry eyes at 4 AM.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/775212#775212]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:30 a.m.
Stefan Guilhen [https://community.jboss.org/people/sguilhen] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/775358#775358
--------------------------------------------------------------
Heh, that's fine! :)
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/775358#775358]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
9:07 a.m.
Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/775368#775368
--------------------------------------------------------------
Patrick Garner wrote:
Sure enough, invoking LoginHistoryService#create before HttpServletRequest#logout solved
the problem. Sorry! I should have caught that! My fault for looking at code through
blurry eyes at 4 AM.
Hey Patrick. :)
Glad things worked out. You had us worried.
Patrick, you should atone by helping the community by creating some kind of a quickstarter
app (web,ejb) etc and show that this problem does not exist. Maybe a wiki article?
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/775368#775368]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
9:36 a.m.
Patrick Garner [https://community.jboss.org/people/pgarner] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/775377#775377
--------------------------------------------------------------
Where should the wiki article go? Community > Picketbox?
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/775377#775377]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
10:42 a.m.
Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/775400#775400
--------------------------------------------------------------
Patrick Garner wrote:
Where should the wiki article go? Community > Picketbox?
You can put it
anywhere you want. Like AS7 or PicketBox user areas. We can link from other places.
I absolutely love the community participation. We (users, JBoss devs) b$tch and complain
when things don't work. Then we solve it. Then we create wiki articles or quickstarts.
And the world is a better place.
(Anil shuts up his philosophy now). :)
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/775400#775400]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
7:16 p.m.
Patrick Garner [https://community.jboss.org/people/pgarner] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/776126#776126
--------------------------------------------------------------
Okay I've put together a quickstart app, but I'm still confused about something.
If a method of a managed bean invokes HttpServletRequest#logout and HttpSession#invalidate
and attempts to invoke a method on a secure EJB, this should be forbidden by JBoss
security. Is this true?
Because what I'm observing is that JBoss security only forbids such method invocation
if the user's password has been changed in the underlying data source during the
user's session. As long as the user's password has not been changed the secure
method can be invoked after the principal has been removed and after the session has been
destroyed.
Check out the attached application.
1. Make a browser request against localhost/Foobar. You will be redirected to
index.xhtml.
2. Login
3. If login is successful, you will be served loggedIn.xhtml, a facelet that allows you
to change the password or log out. If you change the password loggedIn.xhtml is
reloaded.
4. Re-enter the password that you logged in with and click +Submit New Password+.
5. Click +Logout Failure+, which programmatically logs you out and ends the session prior
to looking up LoginHistoryService and invoking LoginHistoryService#create.
6. Notice that no error occurred. LoginHistoryService EJB, which is protected by
@RolesAllowed("SYSTEM_ADMINISTRATOR"), was looked up and
LoginHistoryService#create was invoked +after+ programmatic logout.
7. Repeat steps 2 - 5 except on step 4 enter a different password. Notice that in step 6
an error occurs, EJBAccessException: JBAS013323: Invalid User. In the stack trace note
the following:
PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070:
Password invalid/Password required
In both scenarios, above, the password was changed in the underlying database during the
user's session. Only difference being that in one case the password was identical to
the login password and in the other case the password was changed to a different
password. In both cases HttpServletRequest#logout and HttpSession#invalidate were invoked
+prior+ to invoking LoginHistoryService#create.
8. Repeat steps 2 - 7 except on step 5 click +Logout Success+ instead of +Logout
Failure+. The only difference between +Logout Failure+ and +Logout Success+ is that
LoginHistory#create is invoked prior to HttpServletRequest#logout and
HttpSession#invalidate. What step 8 demonstrates is that JBoss Security behaves as
expected when LoginHistoryService#create is invoked prior to removing the principal and
destroying the session.
It seems that in the above scenarios JBoss Security should not attempt to authenticate the
user after HttpServletRequest#logout is invoked. Instead of attempting to authenticate it
should be attempting to authorize, and if the principal has been removed the error should
come back as follows:
javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void
com.foobar.service.LoginHistoryService.create(com.foobar.model.LoginHistory) of bean:
LoginHistoryService is not allowed
instead of the FailedLoginException.
I will finish my wiki article and post it with the quickstart after this confusion is
resolved.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/776126#776126]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
12:39 p.m.
Stefan Guilhen [https://community.jboss.org/people/sguilhen] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/777792#777792
--------------------------------------------------------------
I believe the problem here is that you need to programmatically login with the new
credentials so that the underlying security context can be updated. When you login (step
2) a security context is established in the web layer. This context contains the
authenticated principal/password and is propagated to the EJB container when calling EJBs.
It is established once the call is served by a thread and is cleaned up after the thread
returns.
In your example, you are invalidating the session and calling the EJB as part of the same
method, so this is what happens:
1- context is established using the principal/password associated with the session, lets
say userA/passA.
2- session.invalidate() is called, causing the security cache to purge the entry that
corresponds to userA.
3- you call the LoginHistoryService EJB. The WEB layer will use the established security
context to propagate the identity/password to the EJB container. As there is no cache
entry for userA, a new authentication will take place and the DBLoginModule will be
called.
3a - if you changed the DB password to the same password (passA), then the
authentication will succeed as the exisiting context will propagate the userA/passA pair
and this will match the values found in the DB.
3b - if you changed the password to a different password, then the authentication will
fail because the existing context will propagate the userA/passA pair and the DB will have
a different value for the password.
This is why you see no error in the first case and a login failure in the second.
When you call loginSuccess, you successfully invoke the EJB because the security cache is
still active and the security context that was established in the web layer still reflect
the correct username and password pair that exists in the DB. So when the invocation
reaches the EJB container, the security cache is hit and the user is authenticated. Note
that there's no way to escape authentication in the EJB container as all EJB calls are
required to be authenticated by the EJB specification. Finally, you invalidate the session
and return, so the existing security context is removed and when the client (browser)
attempts to call a protected resource he should be redirected to the login page as the
session has been terminated.
I believe you can get around the error in the first scenario by calling
request.login(username, newPass) after invoking logout (and before invoking the EJB) so
that the web container updates the existing security context. This would cause the new
username/password pair to be propagated to the EJB container in subsequent calls and you
should get no errors from the EJB security layer.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/777792#777792]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
1:47 p.m.
Patrick Garner [https://community.jboss.org/people/pgarner] created the discussion
"Re: LoginModule defined with cached=true, but called between web and ejb
container"
To view the discussion, visit: https://community.jboss.org/message/784350#784350
--------------------------------------------------------------
Correct me if I'm wrong but it was a bug or at least bad programming practice on my
part to invoke HttpServletRequest#logout and HttpSession#invalidate prior to
LoginHistory#create. I didn't notice the bug until I implemented Change Password
workflow, which was when the FailedLoginException was thrown. The problem was resolved by
simply reversing the order e.g. invoking LoginHistory#create before logout. However, it
was troubling to learn that the EJB container was re-authenticating the user every time
during the logout process after I explicitly invoked HttpServletRequest#logout and
HttpSession.invalidate.
2- session.invalidate() is called, causing the security cache to
purge the entry that corresponds to userA.
3- you call the LoginHistoryService EJB. The WEB layer will use the established security
context to propagate the identity/password to the EJB container. As there is no cache
entry for userA ...
So, if I understand you correctly, the security context remains established and userA
(I'm assuming this means the principal) remains intact? Wow. Until now, I assumed
that immediately upon invocation of logout and/or invalidate the security context was
removed. Perhaps it's not removed until the thread returns because of some
requirement in the EJB spec, such as being able to pass principals across a chain of EJB
calls? Well... it was certainly confusing to receive a FailedLoginException when logging
out :) and it was troubling that the application didn't receive an error except
during logout under the unique circumstance when the user's password was changed
during the session -- all because the EJB container was re-authenticating behind the
scenes after logout was invoked.
When you call loginSuccess, you successfully invoke the EJB because
the security cache is still active and the security context that was established in the
web layer still reflect the correct username and password pair that exists in the DB. So
when the invocation reaches the EJB container, the security cache is hit and the user is
authenticated. Note that there's no way to escape authentication in the EJB container
as all EJB calls are required to be authenticated by the EJB specification. Finally, you
invalidate the session and return, so the existing security context is removed and when
the client (browser) attempts to call a protected resource he should be redirected to the
login page as the session has been terminated.
Just when I thought I was catching
on, I'm confused again ;) I don't understand when you say that the EJB spec
requires all EJB calls to be 'authenticated.' It is my understanding that
principals are authenticated -- not EJB calls -- and that EJB calls require access
authorization -- not authentication. If this is the case then referring back to my web
application, since the security context (I'm assuming this means the principal)
remains intact after invoking HttpServletRequest#logout and HttpSession#invalidate and
until the thread returns there should be no reason to re-authenticate the principal before
the thread returns. In other words, if the principal is authenticated at login and logout
is invoked but does not remove the security context, and during logout (e.g. before the
thread returns) a secure EJB method is invoked, the EJB container should perform +access
authorization+, checking that the user has the proper role, and not +authentication+, and,
hence, the FailedLoginException should never be thrown after invoking logout before the
thread returns.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/784350#784350]
Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4154
days inactive
4203
days old
jboss-dev-forums@lists.jboss.org
10 comments
3 participants
participants (3)
-
Anil Saldhana -
Patrick Garner
-
Stefan Guilhen