[Security & JAAS/JBoss] - JAAS Security conversion from WebSphereAS to JBossAS
by plscstx
JBoss Team --
I am trying to convert an application using JAAS on WebSphere to be using JAAS on JBoss.
I have been reviewing the documentation about JBossSX and the JBoss Security Integration Guide and counteless other documentation.
However, I feel like I am still missing some things.
1. The implementation in WebSphere contained a file named ibm-application-bnd.xmi that was located in the applicationEAR\META-INF folder.
An excerpt from that file follows. My first question is - Is there some file that I need to define like this for the JBoss configuration?
<?xml version="1.0" encoding="UTF-8"?>
<applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi" xmi:id="ApplicationBinding_1103565947194">
<authorizationTable xmi:id="AuthorizationTable_1103565947194">
<authorizations xmi:id="RoleAssignment_1108662566127">
<groups xmi:id="Group_1159457809140" name="App.Prod.~~~.BranchManager"/>
<groups xmi:id="Group_1159457809141" name="App.Prod.~~~.BranchManager"/>
<groups xmi:id="Group_1159457809142" name="App.Prod.~~~.BranchManager"/>
...
2. I have the JAAS connecting to the LDAP but I am having some problems with the LDAP properties.
Also, I still feel like I am missing something that tells the server how to match the LDAP groups to the role names
specified in the web.xml
So, with those questions asked here is my current setup:
the application's (located in the War's WEB-INF folder)
web.xml:
...
<security-constraint id="SecurityConstraint_1159792191999">
<display-name>Region Managers Resources</display-name>
<web-resource-collection id="WebResourceCollection_1159792191999">
<web-resource-name>Region Managers Resources</web-resource-name>
<url-pattern>/admin/regionMan/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792191999">
<role-name>BranchManager</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint id="SecurityConstraint_1159792192015">
<web-resource-collection id="WebResourceCollection_1159792192015">
<web-resource-name>Assign Assistants</web-resource-name>
<url-pattern>/admin/assistants/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792192031">
<role-name>BranchManager</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint id="SecurityConstraint_1159792192031">
<web-resource-collection id="WebResourceCollection_1159792192031">
<web-resource-name>Admin Resources</web-resource-name>
<url-pattern>/admin/reports/*</url-pattern>
<url-pattern>/admin/regionAdmin/*</url-pattern>
<url-pattern>/admin/siteAdmin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792192032">
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1159792192046">
<auth-method>FORM</auth-method>
<form-login-config id="FormLoginConfig_1159792192046">
<form-login-page>/redirectToLogin.jsp</form-login-page>
<form-error-page>/redirectToErrorLogin.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role id="SecurityRole_1112738942726">
<role-name>BranchManager</role-name>
</security-role>
<security-role id="SecurityRole_1112644368717">
<role-name>Admin</role-name>
</security-role>
...
the application's (located in the War's WEB-INF folder)
jboss-web.xml =
<?xml version="1.0"?>
<jboss-web>
<!-- All secured web content uses this security manager -->
<security-domain>java:/jaas/myAppAdmin</security-domain>
</jboss-web>
the server's
login-config.xml =
<application-policy name = "myAppAdmin">
<login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://server:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">username</module-option>
<module-option name="java.naming.security.credentials">password</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
</login-module>
</application-policy>
When I run the application, I am currently getting the following LDAP error:
Where I feel like I am still missing something is the fact that in WebSphere, we had to define an ibm-application-bnd.xmi file which looks like the below snippet. However, I am not sure where I would be putting this equivalent for the JBoss configuration.
2008-02-07 10:47:44,407 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /contextRoot/j_security_check
2008-02-07 10:47:44,423 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'pcable'
2008-02-07 10:47:44,423 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=pcable
2008-02-07 10:47:44,423 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.Proxy, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.UndeclaredThrowableException, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodError, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.InvocationHandler, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Name, false)
2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManager.contextRoot] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@47cfb2
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@94b150
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManager.contextRoot] CachePolicy set to: org.jboss.util.TimedCachePolicy@4fe90
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@4fe90
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added contextRoot, org.jboss.security.plugins.SecurityDomainContext@550344 to map
2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager.contextRoot] Begin isValid, principal:pcable, cache info: null
2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager.contextRoot] defaultLogin, principal=pcable
2008-02-07 10:47:44,454 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(contextRoot), size=9
2008-02-07 10:47:44,454 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(contextRoot), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=uidAttributeID, value=sAMAccountName
name=java.naming.security.authentication, value=simple
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.credentials, value=password
name=matchOnUserDN, value=true
name=java.naming.provider.url, value=ldap://server:389
name=java.naming.security.principal, value=username
name=roleAttributeIsDN, value=false
name=roleAttributeID, value=memberOf
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.LdapLoginModule, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.LdapLoginModule)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@ad0bd6
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@15024292
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: contextRoot
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402890709 sessioncount 0
2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:13,148 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=pcable, roleAttributeID=memberOf, matchOnUserDN=true, jboss.security.security_domain=contextRoot, java.naming.provider.url=ldap://server:389, roleAttributeIsDN=false, uidAttributeID=sAMAccountName, java.naming.security.authentication=simple, java.naming.security.credentials=***}
2008-02-07 10:48:13,148 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(com.sun.jndi.ldap.LdapCtxFactory, false)
2008-02-07 10:48:13,164 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=pcable
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
...
Yes, I do realize that the LDAP: error code 49 means that the username and/or password is incorrect.
I guess I am just wanting to validate my migration path so far and determine how the ibm-application-bnd.xmi information fits into the JBoss Security Setup.
Also, the login-config.xml - in the JBoss Security FAQ it says the <application-policy name="mydomain"> does the mydomain have to be the LDAP domain
or just some name that I make up that has to be the same text put in the jboss-web.xml so that they match up?
Any ideas?
Thanks
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127558#4127558
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127558
18 years, 2 months
[JBoss Seam] - Injection of non-Entity bean failing
by BrettG
I have a simple application that I've set up, with a feature to perform searches. I've created a POJO to hold the search values:
| @Name("sCriteria")
| public class SearchCriteria implements java.io.Serializable{
|
| private static final long serialVersionUID = 4249273907087086393L;
| private String orderId;
| private String actNumber;
| ...
|
I set the value on my .xhtml page:
| <h:panelGrid columns="2">
| <h:outputText value="Act Number"/>
| <h:inputText value="#{sCriteria.actNumber}"></h:inputText>
| <h:outputText value="Order Number"/>
| <h:inputText value="#{sCriteria.orderId}"></h:inputText>
| <h:commandButton type="submit" action="#{spojoAction.doAction(sCriteria)}" value="Search Orders - Param"></h:commandButton>
| <h:commandButton type="submit" action="#{spojoAction.doAction}" value="Search Orders - @In"></h:commandButton>
|
When I debug the code, and look at, in this case a Seam POJO:
| @Name("spojoAction")
| public class SPOJOAction {
|
| @Logger
| Log log;
|
| private OrderStaticDataLiteDao orderStaticDataLiteDao;
|
| @In
| private SearchCriteria sCriteria;
|
| @Out(required = false, scope = ScopeType.PAGE)
| List<OrderStaticDataLite> ordersList;
|
| public String doAction(){
| orderStaticDataLiteDao = new OrderStaticDataLiteDao();
| return null;
| }
|
| public String doAction(SearchCriteria searchCriteria){
| orderStaticDataLiteDao = new OrderStaticDataLiteDao();
| return null;
| }
|
the values I set on my .xhtml page are null. The interesting part is that if I examine either the @In-jected object, or the one passed in via the parameter(depending on the button clicked), the values I entered on the .xhtml page seem to be present in the handler. IE, both sCriteria and searchCriteria show the following:
sCriteria.handler.bean.actNumber = the value entered on the .xhtml page
sCriteria.handler.bean.orderId = the value entered on the .xhtml page
searchCriteria.handler.bean.actNumber = the value entered on the .xhtml page
searchCriteria.handler.bean.orderId = the value entered on the .xhtml page
It seems to me that something is strange with the interception of these values. Does anyone have any ideas?
Note, I've also tried adding @Interceptors(SeamInterceptor.class) at the top of my Seam pojo, but saw the same behavior.
Thanks.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127551#4127551
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127551
18 years, 2 months
[JBoss Seam] - Re: When to use @PersistenceContext vrs @In EntityManager (S
by christian.bauer@jboss.com
Folks, it's quite simple:
- EJB 3.0 defines injection rules for EntityManager with @PersistenceContext
- For consistency reasons with the rest of the component model, they decided to make the _propagation_ rules (one component that has @PersistenceContext calling another component that also has @PersistenceContext) bound to transaction OR instantiation order propagation (SLSB vs. SFSB)
- These rules are straightforward (although I think our book is the only one that documents them properly) but complex
- Seam-managed and injected persistence contexts are an alternative with easier injection and propagation rules, not bound to transaction or instantiation order
So, unless you WANT PC propagation rules bound to transaction propagation (that's what the quoted paragraph from the docs is about), using a SMPC is fine in all situations.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127548#4127548
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127548
18 years, 2 months
[JBoss Seam] - Re: FlushMode=MANUAL -- not immediately commited to db?
by msystems
anonymous wrote :
| I am using EJB3/JPA persistence and am having trouble with a manually flushed transaction. Even after a call to em.flush(), the data is not visible to an external db client -- it seems that even though manually flushed, the transaction is not committed until after the outer backing bean action method returns.
|
The transaction is commited in the after 'invoke application' phase (by the SeamPhaselistener) - if you're using a Seam-managed transaction (looks like you are using it).
anonymous wrote :
| I've tried to call em.getTransaction().commit(), but get a runtime error:
|
| | Caused by: javax.faces.el.EvaluationException: java.lang.IllegalStateException: A JTA EntityManager
| | cannot use getTransaction()
| |
|
The exception is thrown because you're using a Container-managed transaction (CMT) bean.
anonymous wrote :
| Is it possible to commit the transaction without returning from an action method?
|
To my knowledge, no !
You need to use a bean-managed transaction (BMT) bean if you want to control the transaction - i.e. tx.begin() tx.commit() etc.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127547#4127547
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127547
18 years, 2 months
[JBossWS] - wsconsume generates annotations instead of xml file
by limousyf
Hello,
We develop 2 years ago an application using jbossws and jboss-ide (it was version 1.6).
Today we have moved to Seam and it's way easier to make WS.
The problem is to maintain the old-fashioned jaxrpc-mapping.xml and the newly generated annotated mapping.
Concretely we want the client to keep generating mapping with an xml file, from the wsdl moving on the server side.
But I didn't found any way with today's wsconsume to generate mapping classes and jaxrpc-mapping.xml (we were doing it graphicly with jboss-ide two years ago !)
Here is the constraints I identified (tell me if I'm wrong):
*) Our old applications runs using jsf 1.1 (myfaces) on jboss-4.0.5
*) Our new applications runs using jsf 1.2 (sun-ri) on seam/jboss-4.2.1
*) We can't run (or painfully maybe ?) both jsf-1.1/jsf-1.2 on the same jboss-4.2.1 server. So we can't upgrade our old applications to 4.2.1 ...
*) We can't find any options on the wsconsume command line (gasp) tool to generate the jaxrpc-mapping.xml. So we can't "downgrade" the wsdl schema to our old fashionned mapping.
I'm quite sure I missed something here, so what do you think is the best path:
1) Upgrade our old applications to an annotated mapping, implying we can run both jsf-1.1 and jsf-1.2 applications on the same server
2) "Downgrade" the mapping by using correctly the wsconsume command line tool (but how ?)
Thanks for your help on this.
Regards,
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127545#4127545
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127545
18 years, 2 months