[Security & JAAS/JBoss] - Intermittent losing of user principal in standalone Tomcat - jboss-user

Sunday, 1 October 2006

Hi All,

I have web application running on JBoss 4.0.4. I use LdapLoginModule to secure the EJB
tier. In the web tier, I add a filter that perform JAAS login (using client-login module)
for every incoming request. Everything works fine, user's principal and credentials
are propagated successfully from web tier to EJB tier. 

Problem arises when I try to move web tier to standalone Tomcat(version 5.5.17). The
user's principal is lost in the middle of method calls. Here's the call sequence:

1. do JAAS login in web tier
2. call method1 in EJB tier - successful
3. call method2 in EJB tier - successful
4. call method3 in EJB tier - failed, user's principal is NULL
5. do JAAS logout

The strange thing is, I can invoke method3 in EJB tier successfully at least once if I try
it a few times.

Here's the stacktrace in Web tier (Tomcat):

  | java.rmi.AccessException: SecurityException; nested exception is:
  |         javax.security.auth.login.FailedLoginException: Password Incorrect/Password
Required
  |         at
org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
  |         at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:209)
  |         at
org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:1
36)
  |         at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
  |         at org.jboss.ejb.Container.invoke(Container.java:954)
  |         at sun.reflect.GeneratedMethodAccessor96.invoke(Unknown Source)
  |         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:585)
  |         at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
  |         at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
  |         at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
  |         at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
  |         at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
  |         at
org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
  |         at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
  |         at sun.reflect.GeneratedMethodAccessor101.invoke(Unknown Source)
  |         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:585)
  |         at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
  |         at sun.rmi.transport.Transport$1.run(Transport.java:153)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
  |         at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
  |         at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
  |         at java.lang.Thread.run(Thread.java:595)
  | Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password
Required
  |         at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:
213)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  |         at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  |         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:585)
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
  |         at
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
  |         at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at
org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:211
)
  |         at
org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:158)
  |         at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
  |         ... 23 more
  | 

Here's the stacktrace in EJB tier (JBoss):

  | 2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation] getPrincipal,
principal=admin
  | 2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor]  local
transaction exists - registering global tx if not present for Thread[RMI TCP
Connection(428)-127.0.0.1,5,RMI Runtime]
  | 2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Transaction
TransactionImpl:XidImpl[FormatId=257, GlobalId=quark/3739, BranchQual=, localId=3739] is
already registered.
  | 2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Running
commit phase.  One phase? false
  | 2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Finished
local commit/rollback method for GlobalTransaction:<null>:939
  | 2006-09-29 17:24:29,011 DEBUG [org.jboss.cache.interceptors.TxInterceptor] Finished
commit phase
  | 2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,011 TRACE [org.jboss.security.SecurityAssociation]
popSubjectContext,
sc=org.jboss.security.SecurityAssociation$SubjectContext@a8018a{principal=admin,subject=null}
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
Begin isValid, principal:admin, cache info:
org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C(a)27310413,expirationTime=1159522784170]
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
Begin validateCache,
info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170];credential.class=[C(a)27310413
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
End validateCache, isValid=true
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
End isValid, true
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
  |         Principal: admin
  |         Principal: Roles(members)
  | ,
sc=org.jboss.security.SecurityAssociation$SubjectContext@34e0db{principal=admin,subject=26629440}
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,014 TRACE [org.jboss.security.SecurityAssociation]
popSubjectContext,
sc=org.jboss.security.SecurityAssociation$SubjectContext@34e0db{principal=admin,subject=26629440}
  | 2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
Begin isValid, principal:admin, cache info:
org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C(a)27310413,expirationTime=1159522784170]
  | 2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
Begin validateCache,
info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C@27310413,expirationTime=1159522784170];credential.class=[C(a)27310413
  | 2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
End validateCache, isValid=true
  | 2006-09-29 17:24:29,022 TRACE [org.jboss.security.plugins.JaasSecurityManager.ofs-app]
End isValid, true
  | 2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
  |         Principal: admin
  |         Principal: Roles(members)
  | ,
sc=org.jboss.security.SecurityAssociation$SubjectContext@15673be{principal=admin,subject=13167287}
  | 2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,022 TRACE [org.jboss.security.SecurityAssociation]
getCallerPrincipal, principal=admin2006-09-29 17:24:29,022 TRACE
[org.jboss.security.plugins.JaasSecurityManager.ofs-app] getPrincipal, cache info:
org.jboss.security.plugins.JaasSecurityManager$DomainInfo@63bd4[Subject(2890892).principals=org.jboss.security.SimplePrincipal@15091605(admin)org.jboss.security.SimpleGroup@2286409(Roles(members)),credential.class=[C(a)27310413,expirationTime=1159522784170]
  | 2006-09-29 17:24:29,037 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,037 TRACE [org.jboss.security.SecurityAssociation]
popSubjectContext,
sc=org.jboss.security.SecurityAssociation$SubjectContext@15673be{principal=admin,subject=13167287}
  | 2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=null,
sc=org.jboss.security.SecurityAssociation$SubjectContext@1859504{principal=null,subject=null}
  | 2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,040 TRACE [org.jboss.security.SecurityAssociation]
popSubjectContext,
sc=org.jboss.security.SecurityAssociation$SubjectContext@1859504{principal=null,subject=null}
  | 2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=null,
sc=org.jboss.security.SecurityAssociation$SubjectContext@73280f{principal=null,subject=null}
  | 2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
  | 2006-09-29 17:24:29,046 TRACE [org.jboss.security.SecurityAssociation] getPrincipal,
principal=null
  | 2006-09-29 17:24:29,046 DEBUG [org.jboss.cache.interceptors.TxInterceptor]  local
transaction exists - registering global tx if not present for Thread[RMI TCP
Connection(428)-127.0.0.1,5,RMI Runtime]
  | 

I've searched the forum but I couldnt find any useful information related to my
problem. Are there any additional configuration/steps that I've to do if I want to
implement JAAS on seperate Tomcat + JBoss? Any help will be greatly appreciated.

regards,

View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3975393#...

Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Security & JAAS/JBoss] - Intermittent losing of user principal in standalone Tomcat