[Security & JAAS/JBoss] - Re: Attempt to get JBoss to call my custom login module
by jcollins914
I'm posting again, because it blurred my code samples beyond worth when I wrapped them in code tags... (Sorry about that):
Hello JBoss enthusiasts,
I am new to JBoss, and am attempting to convince it to respect my custom login module through its implementation of JAAS.
I have read MANY web sites/forum entries on how to do this, but am sadly missing something(s) about how to complete the endeavor.
I am developing in Eclipse, and my project consists of an Enterprise .ear file project, encompassing a Dynamic Web Module .war file project.
I have edited the following files (<war-file-project>/WEB-INF/jboss-web.xml, <war-file-project>/WEB-INF/web.xml,
and<jboss.install>/server/default/deploy/conf/login-config.xml. Please see below for details of each.
I have coded up a custom login module, extending AbstractServerLoginModule, which essentially just hard-codes a user name, (for now, I will doll it up when I can get it called), and adds a role called "Authenticated".
I added the following content to jboss-web.xml, and sprinkled it into <war-file-project>/WEB-INF, <war-file-project>/META-INF, and <ear-file-project>/MEATA-INF,
trying to get it to have an impact. I think/guess it belongs in the <war-file-project>/WEB-INF along with web.xml, but I could not find this hint anywhere.
<?xml version="1.0" encoding="UTF-8"?>
<!-- The <security-domain> uses java:/jaas/GEHCSecurityRealm because it is the Jboss specific JNDI name
used in gehc-login-confix.xml when JBoss deploys the loginModuld as a managed service.
The pattern here is that JBoss prefixes its JAAS JNDI names with java:/jaas-->
<jboss-web>
<security-domain>java:/jaas/GEHCSecurityRealm</security-domain>
</jboss-web>
I added the following constructs to web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>GEHCSecurityRealm</web-resource-name>
Protects CPWebService URL calls
<!-- <url-pattern>/CPWebService</url-pattern> -->
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- Uncommenting auth-constraint causes login to fail, uncomment when able to call custom login module.
<auth-constraint>
<role-name>Authenticated</role-name>
</auth-constraint>
-->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>GEHCSecurityRealm</realm-name> <!-- Could this be how I convince it to call my GEHCLoginModule, --apparently not -->
</login-config>
<security-role>
The role required to access /CPWebService calls
<role-name>Authenticated</role-name>
</security-role>
I added the following construct to login-conf.xml:
<!-- GEHC Custom authentication login module configuration -->
<application-policy name="GEHCSecurityRealm">
<login-module code="com.gehcit.cp.security.GEHCLoginModule" flag="required"/>
</application-policy>
I enabled security trace/debug logging by adding the following lines to <jboss-install>/server/default/conf/log4j.xml: (The appender-ref elements are my attempt
to get the output to come to the console, although it still only ends up in server.log; :-( Good enough).
<appender-ref ref="CONSOLE"/>
<appender-ref ref="CONSOLE"/>
<appender-ref ref="CONSOLE"/>
So... What I had HOPED to accomplish with the aforementioned configuration, is that when I sent a request to this web service, with a url like /CPWebService,
(although it should happen for any url according to my <security-constraint>'s <url-pattern>, that JBoss would delegate the login to my custom login module, as
indicated in the login-conf.xml, because the jboss-web.xml listed the realm it covers as the security realm for this "web application". I'm not 100% confident in any of this, as it is all kinda heresay, gathered from the JBoss documentation, and random input from forums and a several day google-fest. I am open to any & all suggestions towards a solution. i.e. Please :-)
The application server starts up without any security complaints. However, when I run my test call to a method under
http://localhost:8080/CentricityPractice/CPWebService, it produces the following output:
2006-11-09 15:57:03,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->
true
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->
true
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Passing all access
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callernull
2006-11-09 15:57:03,975 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass
It would appear that it is logging in just fine, ... I just have no idea what module it's using, is there any way to tell?
When I uncomment the auth-constraint in the security-constraint in web.xml, the log produces the following content:
2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1163105605191 sessioncount 0
2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->
true
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService -->
true
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
2006-11-09 15:53:28,191 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
This failure makes sense to me, because whatever user it is automatically assuming hasn't been gifted with the "Authenticated" role. Incidentally, if it was
calling my login module, the following method would grant the user with this role:
public Group[] getRoleSets() {
// Our security at this level (authentication) isn't role based, so we have a simple fudge role to
// satisfy the requirement of JBoss having role based authentiacation.
log.debug("!!!!!!!!!!!!!!!!!!!!!!!! getRoleSets !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
Group rolesGroup = new SimpleGroup("Roles");
rolesGroup.addMember(new SimplePrincipal("Authenticated"));
return new Group[] {rolesGroup};
}
Does anyone know what I'm missing, care to co-miserate, anything?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3984659#3984659
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3984659
19Â years, 6Â months
[Security & JAAS/JBoss] - Attempt to get JBoss to call my custom login module
by jcollins914
Hello JBoss enthusiasts,
I am new to JBoss, and am attempting to convince it to respect my custom login module through its implementation of JAAS.
I have read MANY web sites/forum entries on how to do this, but am sadly missing something(s) about how to complete the endeavor.
I am developing in Eclipse, and my project consists of an Enterprise .ear file project, encompassing a Dynamic Web Module .war file project.
I have edited the following files (<war-file-project>/WEB-INF/jboss-web.xml, <war-file-project>/WEB-INF/web.xml, and <jboss.install>/server/default/deploy/conf/login-config.xml. Please see below for details of each.
I have coded up a custom login module, extending AbstractServerLoginModule, which essentially just hard-codes a user name, (for now, I will doll it up when I can get it called), and adds a role called "Authenticated".
I added the following content to jboss-web.xml, and sprinkled it into <war-file-project>/WEB-INF, <war-file-project>/META-INF, and <ear-file-project>/MEATA-INF,
trying to get it to have an impact. I think/guess it belongs in the <war-file-project>/WEB-INF along with web.xml, but I could not find this hint anywhere.
<?xml version="1.0" encoding="UTF-8"?>
<!-- The <security-domain> uses java:/jaas/GEHCSecurityRealm because it is the Jboss specific JNDI name
used in gehc-login-confix.xml when JBoss deploys the loginModuld as a managed service.
The pattern here is that JBoss prefixes its JAAS JNDI names with java:/jaas-->
<jboss-web>
<security-domain>java:/jaas/GEHCSecurityRealm</security-domain>
</jboss-web>
I added the following constructs to web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>GEHCSecurityRealm</web-resource-name>
Protects CPWebService URL calls
<!-- <url-pattern>/CPWebService</url-pattern> -->
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- Uncommenting auth-constraint causes login to fail, uncomment when able to call custom login module.
<auth-constraint>
<role-name>Authenticated</role-name>
</auth-constraint>
-->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>GEHCSecurityRealm</realm-name> <!-- Could this be how I convince it to call my GEHCLoginModule, --apparently not -->
</login-config>
<security-role>
The role required to access /CPWebService calls
<role-name>Authenticated</role-name>
</security-role>
I added the following construct to login-conf.xml:
<!-- GEHC Custom authentication login module configuration -->
<application-policy name="GEHCSecurityRealm">
<login-module code="com.gehcit.cp.security.GEHCLoginModule" flag="required"/>
</application-policy>
I enabled security trace/debug logging by adding the following lines to <jboss-install>/server/default/conf/log4j.xml: (The appender-ref elements are my attempt to get the output to come to the console, although it still only ends up in server.log; :-( Good enough).
<appender-ref ref="CONSOLE"/>
<appender-ref ref="CONSOLE"/>
<appender-ref ref="CONSOLE"/>
So... What I had HOPED to accomplish with the aforementioned configuration, is that when I sent a request to this web service, with a url like /CPWebService, (although it should happen for any url according to my <security-constraint>'s <url-pattern>, that JBoss would delegate the login to my custom login module, as indicated in the login-conf.xml, because the jboss-web.xml listed the realm it covers as the security realm for this "web application". I'm not 100% confident in any of this, as it is all kinda heresay, gathered from the JBoss documentation, and random input from forums and a several day google-fest. I am open to any & all suggestions towards a solution. i.e. Please :-)
The application server starts up without any security complaints. However, when I run my test call to a method under http://localhost:8080/CentricityPractice/CPWebService, it produces the following output:
2006-11-09 15:57:03,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Passing all access
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callernull
2006-11-09 15:57:03,975 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass
It would appear that it is logging in just fine, ... I just have no idea what module it's using, is there any way to tell?
When I uncomment the auth-constraint in the security-constraint in web.xml, the log produces the following content:
2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1163105605191 sessioncount 0
2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
2006-11-09 15:53:28,191 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
This failure makes sense to me, because whatever user it is automatically assuming is relevant hasn't been gifted with the "Authenticated" role. Incidentally, if it was calling my login module, the following method would grant the user with this role:
public Group[] getRoleSets() {
// Our security at this level (authentication) isn't role based, so we have a simple fudge role to
// satisfy the requirement of JBoss having role based authentiacation.
log.debug("!!!!!!!!!!!!!!!!!!!!!!!!getRoleSets !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
Group rolesGroup = new SimpleGroup("Roles");
rolesGroup.addMember(new SimplePrincipal("Authenticated"));
return new Group[] {rolesGroup};
}
Does anyone know what I'm missing, care to co-miserate, anything?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3984657#3984657
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3984657
19Â years, 6Â months
[Remoting] - Re: InvokerLocator already exists for listener
by tom.elrodï¼ jboss.com
Jira issue - http://jira.jboss.com/jira/browse/JBREM-622
Following describes behavior due to code changes for this issue:
Behavior - If doing pull callbacks, can have same callback handler registered with two remoting Client instances (i.e. A and B) and the server will see this as two distinct callback listeners being registered. So if server generates a callback, both Client instance will retreive a callback.
If doing push callbacks, meaning have a callback server registered to receive callbacks, the callbacks will be tied to that callback server and its callback handler. Therefore, if have callback handler and server registered, only one callback will be delivered per one generated on target server, regardless of with how many remoting Clients they have been registered as listeners with. An example would be have remoting Client A and B, and have callback handler X and callback server Y. If registered callback handler X and callback server Y with both A and B and the server generates a callback message, it will only be delivered once to callback handler X.
If have the same callback handler registered with multiple callback server, a callback message will be delivered for each callback server. For example, if have callback handler X and callback server Y and Z and then register callback handler X twixe (once with Y and once with Z), then will be delivered the same callback message twice (once by Y and once by Z).
When a callback handler is removed and are using push callbacks, the callback handler will be removed as a listener from all callback servers it has been registered under.
[ Show » ]
Tom Elrod [09/Nov/06 03:48 PM] Behavior - If doing pull callbacks, can have same callback handler registered with two remoting Client instances (i.e. A and B) and the server will see this as two distinct callback listeners being registered. So if server generates a callback, both Client instance will retreive a callback. If doing push callbacks, meaning have a callback server registered to receive callbacks, the callbacks will be tied to that callback server and its callback handler. Therefore, if have callback handler and server registered, only one callback will be delivered per one generated on target server, regardless of with how many remoting Clients they have been registered as listeners with. An example would be have remoting Client A and B, and have callback handler X and callback server Y. If registered callback handler X and callback server Y with both A and B and the server generates a callback message, it will only be delivered once to callback handler X. If have the same callback handler registered with multiple callback server, a callback message will be delivered for each callback server. For example, if have callback handler X and callback server Y and Z and then register callback handler X twixe (once with Y and once with Z), then will be delivered the same callback message twice (once by Y and once by Z). When a callback handler is removed and are using push callbacks, the callback handler will be removed as a listener from all callback servers it has been registered under.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3984654#3984654
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3984654
19Â years, 6Â months