[Security & JAAS/JBoss] - Help ... flushAuthenticationCache don't work
by Venika
Hallo,
I have a problem with JAAS-Security in my application. I need to change the user roles on the fly in my application. So I try to call the "flushAuthenticationCache" ? method in my application, but this call has no effect. In other JBoss topics I have found that after this call the JASS-Security should call my custom LoginModule again and the subject should be initialized once more. I have tried to control this with my debugger, but my custom LoginModule is called once, only at the login.
The call of the "flushAuthenticationCache"-method don't remove the principal from the TimedCache.
Can anybody say me what is wrong in my application?
I use the JBoss Application Server 4.0.5 GA (at home) and 4.0.2 (at work). I have written a small prototype of my application. The prototype consists of two servlets. One servlet is an admin Servlet and second is a user servlet. In user Servlet I want to change the user role to admin. I am using CustomPrincipal and CustomLoginModule to authenticate the user.
Hier is my source:
a) web.xml
b) jboss-web.xml
c) CustomLoginModule.java
d) CustomPrincipal.java
e) SecureServlet.java
f) AdminSecureServlet.java
g) login-config.xml
web.xml
<?xml version="1.0" encoding="UTF-8"?>
| <web-app id="WebApp_ID" version="2.4"
| xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
| http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
|
| <display-name>Refresh</display-name>
| <servlet>
| <description>Servlet ohne Zugriffsbeschraenkung</description>
| <display-name>UnsecureServlet</display-name>
| <servlet-name>UnsecureServlet</servlet-name>
| <servlet-class>de.venia.servlets.UnsecureServlet</servlet-class>
| </servlet>
| <servlet>
| <description>Zugriffsgeschuetzter Servlet</description>
| <display-name>SecureServlet</display-name>
| <servlet-name>SecureServlet</servlet-name>
| <servlet-class>de.venia.servlets.SecureServlet</servlet-class>
| </servlet>
| <servlet>
| <description>Admin Servlet</description>
| <display-name>AdminSecureServlet</display-name>
| <servlet-name>AdminSecureServlet</servlet-name>
| <servlet-class>de.venia.servlets.AdminSecureServlet</servlet-class>
| </servlet>
| <servlet-mapping>
| <servlet-name>UnsecureServlet</servlet-name>
| <url-pattern>/UnsecureServlet/*</url-pattern>
| </servlet-mapping>
| <servlet-mapping>
| <servlet-name>SecureServlet</servlet-name>
| <url-pattern>/SecureServlet/*</url-pattern>
| </servlet-mapping>
| <servlet-mapping>
| <servlet-name>AdminSecureServlet</servlet-name>
| <url-pattern>/AdminServlet/*</url-pattern>
| </servlet-mapping>
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>First</web-resource-name>
| <url-pattern>/SecureServlet/*</url-pattern>
| <http-method>POST</http-method>
| <http-method>GET</http-method>
| </web-resource-collection>
| <auth-constraint>
| <role-name>user</role-name>
| <role-name>admin</role-name>
| </auth-constraint>
| </security-constraint>
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>Admin</web-resource-name>
| <url-pattern>/AdminServlet/*</url-pattern>
| <http-method>POST</http-method>
| <http-method>GET</http-method>
| </web-resource-collection>
| <auth-constraint>
| <role-name>admin</role-name>
| </auth-constraint>
| </security-constraint>
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>ReportingServcieJAAS</realm-name>
| <form-login-config>
| <form-login-page>/jsp/login.jsp</form-login-page>
| <form-error-page>/jsp/error.jsp</form-error-page>
| </form-login-config>
| </login-config>
| <security-role>
| <role-name>user</role-name>
| </security-role>
| <security-role>
| <role-name>admin</role-name>
| </security-role>
| <welcome-file-list>
| <welcome-file>index.html</welcome-file>
| </welcome-file-list>
| </web-app>
Jboss-web.xml
<?xml version="1.0" encoding="UTF-8" ?>
| <jboss-web>
| <security-domain>java:/jaas/ReportingServcieJAAS</security-domain>
| </jboss-web>
CustomLoginModule
package de.venia.login;
|
| import java.security.Principal;
| import java.security.acl.Group;
| import java.util.Map;
| import javax.security.auth.Subject;
| import javax.security.auth.callback.CallbackHandler;
| import javax.security.auth.login.LoginException;
| import javax.security.jacc.PolicyContext;
| import javax.servlet.http.HttpServletRequest;
| import javax.servlet.http.HttpSession;
| import org.jboss.security.SimpleGroup;
| import org.jboss.security.SimplePrincipal;
| import org.jboss.security.auth.spi.AbstractServerLoginModule;
|
| public class CustomLoginModule extends AbstractServerLoginModule {
|
| public void initialize( Subject arg0, CallbackHandler arg1, Map arg2, Map arg3) {
| this.subject = arg0;
| this.callbackHandler = arg1;
| this.sharedState = arg2;
| this.options = arg3;
| }
|
| public boolean login() throws LoginException {
| this.loginOk = true;
| return true;
| }
|
| public boolean abort() throws LoginException {
| return true;
| }
|
| public boolean commit() throws LoginException {
| String userRole = null;
| try {
| HttpServletRequest request =
|
| (HttpServletRequest)
|
| PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
| if( request != null) {
| HttpSession session = request.getSession();
| Object obj = session.getAttribute("newRole");
| if( obj != null) userRole = (String) obj;
| }
| }catch( Exception e) {
| }
|
| if( userRole == null) userRole = "user";
|
| SimpleGroup gr = new SimpleGroup("CallerPrincipal");
| SimpleGroup gr2 = new SimpleGroup("Roles");
| gr.addMember( new CustomPrincipal("Benjamin"));
| gr2.addMember( new SimplePrincipal( userRole));
| this.subject.getPrincipals().add(gr);
| this.subject.getPrincipals().add(gr2);
|
| return true;
| }
|
| public boolean logout() throws LoginException {
| this.subject.getPrincipals().clear();
| this.subject.getPublicCredentials().clear();
| this.subject.getPrivateCredentials().clear();
|
| return true;
| }
|
| protected Principal getIdentity() {
| return null;
| }
|
| protected Group[] getRoleSets() throws LoginException {
| return null;
| }
| }
CustomPrincipal
package de.venia.login;
|
| import java.security.Principal;
| import java.sql.Timestamp;
|
| public class CustomPrincipal implements Principal {
|
| private String name = null;
| private Timestamp time = null;
|
| public CustomPrincipal( String nameM) {
| this.name = nameM;
| time = new Timestamp( System.currentTimeMillis());
| }
|
| public String getName() {
| return this.getTimedName();
| }
|
| private String getTimedName() {
| return this.name + "_" + this.time.toString();
| }
|
| public int hashCode() {
| int hash = this.getTimedName().hashCode();
| return hash;
| }
|
| public boolean equals( Object objM) {
| if( objM == null || !(objM instanceof CustomPrincipal)) {
| return false;
| }
| CustomPrincipal compar = (CustomPrincipal) objM;
| return ( this.getTimedName()).equals( compar.getTimedName());
| }
| }
SecureServlet
package de.venia.servlets;
|
| import java.io.IOException;
| import java.io.PrintWriter;
| import java.security.Principal;
| import javax.management.MBeanServer;
| import javax.management.MBeanServerFactory;
| import javax.management.ObjectName;
| import javax.servlet.ServletException;
| import javax.servlet.http.HttpServletRequest;
| import javax.servlet.http.HttpServletResponse;
| import de.venia.login.CustomPrincipal;
|
| public class SecureServlet extends javax.servlet.http.HttpServlet implements javax.servlet.Servlet {
|
| private static final long serialVersionUID = 1L;
|
| public SecureServlet() {
| super();
| }
|
| protected void doGet(HttpServletRequest request, HttpServletResponse response)
| throws ServletException, IOException {
| doPost( request, response);
| }
|
| protected void doPost(HttpServletRequest request, HttpServletResponse response)
| throws ServletException, IOException {
|
| PrintWriter outputter = response.getWriter();
| outputter.println("I'm protected servlet, role - user");
| outputter.println("<br />");
| outputter.println("SessionID:" + request.getSession().getId());
| outputter.println("<br />");
|
| Object obj = request.getUserPrincipal();
| if( obj != null) outputter.println("User:" + ((CustomPrincipal)obj).getName());
|
| //Flush principal
| Object flushObj = request.getParameter("flush");
| Object roleObj = request.getParameter("role");
| if( flushObj != null && ((String) flushObj).equalsIgnoreCase("true"))
| if( roleObj != null) {
| request.getSession().setAttribute("newRole", (String) roleObj);
| try {
| String domain = "ReportingServcieJAAS";
| //Principal principal = new SimplePrincipal(((CustomPrincipal)obj).getName());
| Principal principal = (Principal) request.getUserPrincipal();
| ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager");
| Object[] params = { domain, principal };
| String[] signature = { "java.lang.String", Principal.class.getName() };
| MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
| server.invoke( jaasMgr, "flushAuthenticationCache", params, signature);
| } catch (Exception e) {
| e.printStackTrace(outputter);
| }
| }
|
| //Flush all
| Object flushAllObj = request.getParameter("flushAll");
| if( flushAllObj != null && ((String) flushAllObj).equalsIgnoreCase("true")) {
| try {
| String domain = "ReportingServcieJAAS";
| ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager");
| Object[] params = { domain };
| String[] signature = { "java.lang.String"};
| MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0);
| server.invoke( jaasMgr, "flushAuthenticationCache", params, signature);
| } catch (Exception e) {
| e.printStackTrace(outputter);
| }
| }
| }
| }
AdminSecureServlet
package de.venia.servlets;
|
| import java.io.IOException;
| import java.io.PrintWriter;
| import javax.servlet.ServletException;
| import javax.servlet.http.HttpServletRequest;
| import javax.servlet.http.HttpServletResponse;
|
| public class AdminSecureServlet extends javax.servlet.http.HttpServlet implements javax.servlet.Servlet {
|
| private static final long serialVersionUID = 1L;
|
| public AdminSecureServlet() {
| super();
| }
|
| protected void doGet(HttpServletRequest request, HttpServletResponse response)
| throws ServletException, IOException {
| doPost( request, response);
| }
|
| protected void doPost(HttpServletRequest request, HttpServletResponse response)
| throws ServletException, IOException {
| PrintWriter outputter = response.getWriter();
| outputter.println("I'm protected servlet, role - admin");
| outputter.println("<br />");
| }
| }
Login-config.xml
<application-policy name="ReportingServcieJAAS">
| <authentication>
| <login-module code="de.venia.login.CustomLoginModule" flag="required">
| </login-module>
| </authentication>
| </application-policy>
Thanks a lot for your help ;-)))
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4015393#4015393
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4015393
19Â years, 2Â months
[JBoss Seam] - Re: doco - 18.2.2. Seam.Component
by tony.herstellï¼ gmail.com
SLAPs Self... Sorry.
The section is for Javascript.
Had I RTFM or even read your responses better I would have seen that!
I was doing it in code...
| Image image = (Image)Component.getInstance("image", true);
| image.setName(fileName);
| image.setType(contentType);
| image.setThumbnail(inputFileAsBytes);
| image.setImage(inputFileAsBytes);
| image.setVersion(0);
|
As an aside... I managed to get JBoss to take over 15 minutes to run up yesterday !
I included a Seam component as a class instance as apposed to injecting it.
i.e.
I did this (thinking I will need an image object to put my image into!!)
Image image = new Image();
Now I am using:
Image image = (Image)Component.getInstance("image", true);
and JBoss runs up in only 1 minute again.
Interesting feature!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4015380#4015380
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4015380
19Â years, 2Â months
[JBoss Portal] - HOWTO: Replace portal authentication and authorization
by arnieAustin
I need to replace the portal's internal methods with a custom class we wrote internally. Though LDAP is used to authentication, the base functions aren't detailed enough for our needs. Authorization is done based on data from a database.
I know I'm supposed to implement UserModule and RoleModule but I cannot find any documentation on how to do that. The JavaDoc's show classes such as org.jboss.portal.core.impl.user.UserModule and *.Impl but I cannot descend that class as its not in any of the jars under the portal.sar/lib folder.
What are the fully qualified class names and what jar's are they supposed to be in? A URL to a document detailing how to make the portal use these new classes would be much appreciated. Esp since I'll probably have to create my own login and registration portlets.
Thanks!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4015379#4015379
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4015379
19Â years, 2Â months
[Persistence, JBoss/CMP, Hibernate, Database] - Transaction issue with separate JBoss jars
by dtseiler
Recently we have tried to separate our EJB Project out into two parts.
One project to handle all of our persistence and another to handle all
of our service's. The persistence project was set up to serve out
entity objects back through a DAO service. This way our Service project
can just call into our DAO services and retrieve the information that
they would need and allowing for a nice split between two different
types of projects. However, in the process of separating these projects
out we hit some issues with the transaction manager not flushing upon
the call of the flush command.
The flush command is something we greatly rely on as a means to make
sure our data is persisted underneath the proper user in the database
through contexts. It is also the means in which we can allow support of
oracle proxy connections. We achieved this by having a
PrepareDatabaseConnection AOP method; which is executed before and after
a method is called. Allowing for us to set the database context after
the transaction is started and to close the database context before the
transaction ends. Ideally we would have liked to hook it directly onto
the begging and end of the transaction but we couldn't find a great way
to do so. So instead on every one of our services and DAO work we added
the PrepareDatabaseConnection interceptor to properly set our database
context or to configure the connection as a proxy connection. In a
single jar this functionality works great. However, in separate jars we
start to see issues with the database context not being properly set,
which leads to issues with auditing what users changed the data in the
database.
In a single jar the contents flush upon my call to the entity manager to
commit / update the information. However, when these are separate jars
the flush doesn't occur until the transaction manager tells it to flush
and close the transaction. At which point in time the database context
has already been unset leaving no record of which user was actually
using that connection from the connection pool.
Why is it when we move the database code out to a separate jar the
entity managers flush doesn't actually flush the information when it was
requested to?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4015369#4015369
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4015369
19Â years, 2Â months