[jboss-user] [Security & JAAS/JBoss] - Attempt to get JBoss to call my custom login module

jcollins914 do-not-reply at jboss.com
Thu Nov 9 16:12:38 EST 2006

Hello JBoss enthusiasts,

  I am new to JBoss, and am attempting to convince it to respect my custom login module through its implementation of JAAS.

  I have read MANY web sites/forum entries on how to do this, but am sadly missing something(s) about how to complete the endeavor.

  I am developing in Eclipse, and my project consists of an Enterprise .ear file project, encompassing a Dynamic Web Module .war file project.

  I have edited the following files (<war-file-project>/WEB-INF/jboss-web.xml, <war-file-project>/WEB-INF/web.xml, and <jboss.install>/server/default/deploy/conf/login-config.xml. Please see below for details of each.

  I have coded up a custom login module, extending AbstractServerLoginModule, which essentially just hard-codes a user name, (for now, I will doll it up when I can get it called), and adds a role called "Authenticated".

I added the following content to jboss-web.xml, and sprinkled it into <war-file-project>/WEB-INF, <war-file-project>/META-INF, and <ear-file-project>/MEATA-INF, 

trying to get it to have an impact.  I think/guess it belongs in the <war-file-project>/WEB-INF along with web.xml, but I could not find this hint anywhere.

<?xml version="1.0" encoding="UTF-8"?>
<!--  The <security-domain> uses java:/jaas/GEHCSecurityRealm because it is the Jboss specific JNDI name
      used in gehc-login-confix.xml when JBoss deploys the loginModuld as a managed service.  
      The pattern here is that JBoss prefixes its JAAS JNDI names with java:/jaas-->

I added the following constructs to web.xml:

  		Protects CPWebService URL calls
<!--   		<url-pattern>/CPWebService</url-pattern> -->
    <!--  Uncommenting auth-constraint causes login to fail, uncomment when able to call custom login module.
    <realm-name>GEHCSecurityRealm</realm-name>  <!-- Could this be how I convince it to call my GEHCLoginModule, --apparently not -->

    The role required to access /CPWebService calls

I added the following construct to login-conf.xml:

    <!-- GEHC Custom authentication login module configuration -->
    <application-policy name="GEHCSecurityRealm"> 
        <login-module code="com.gehcit.cp.security.GEHCLoginModule" flag="required"/> 

I enabled security trace/debug logging by adding the following lines to <jboss-install>/server/default/conf/log4j.xml:  (The appender-ref elements are my attempt to get the output to come to the console, although it still only ends up in server.log; :-(  Good enough).

     <appender-ref ref="CONSOLE"/>

     <appender-ref ref="CONSOLE"/>

     <appender-ref ref="CONSOLE"/>

So...  What I had HOPED to accomplish with the aforementioned configuration, is that when I sent a request to this web service, with a url like /CPWebService, (although it should happen for any url according to my <security-constraint>'s <url-pattern>, that JBoss would delegate the login to my custom login module, as indicated in the login-conf.xml, because the jboss-web.xml listed the realm it covers as the security realm for this "web application".  I'm not 100% confident in any of this, as it is all kinda heresay, gathered from the JBoss documentation, and random input from forums and a several day google-fest.  I am open to any & all suggestions towards a solution.  i.e. Please :-)

The application server starts up without any security complaints.  However, when I run my test call to a method under http://localhost:8080/CentricityPractice/CPWebService, it produces the following output:

2006-11-09 15:57:03,960 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling hasUserDataPermission()
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.realm.RealmBase]   User data constraint has no restrictions
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling accessControl()
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Passing all access
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Successfully passed all security constraints
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callernull
2006-11-09 15:57:03,975 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
2006-11-09 15:57:03,975 TRACE [org.jboss.web.tomcat.security.RunAsListener] CPWebService, runAs: null
2006-11-09 15:57:03,975 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass

It would appear that it is logging in just fine, ... I just have no idea what module it's using, is there any way to tell?

When I uncomment the auth-constraint in the security-constraint in web.xml, the log produces the following content:

2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1163105605191 sessioncount 0
2006-11-09 15:53:25,191 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /CentricityPractice/CPWebService
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[GEHCSecurityRealm]' against POST /CPWebService --> true
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling hasUserDataPermission()
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.realm.RealmBase]   User data constraint has no restrictions
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling authenticate()
2006-11-09 15:53:28,191 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Failed authenticate() test
2006-11-09 15:53:28,191 TRACE [org.jboss.security.SecurityAssociation] clear, server=true

This failure makes sense to me, because whatever user it is automatically assuming is relevant hasn't been gifted with the "Authenticated" role.  Incidentally, if it was calling my login module, the following method would grant the user with this role:

    public Group[] getRoleSets() {
               // Our security at this level (authentication) isn't role based, so we have a simple fudge role to    	
              // satisfy the requirement of JBoss having role based authentiacation.
	log.debug("!!!!!!!!!!!!!!!!!!!!!!!!getRoleSets !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
	Group rolesGroup = new SimpleGroup("Roles");
	rolesGroup.addMember(new SimplePrincipal("Authenticated"));
	return new Group[] {rolesGroup};    

Does anyone know what I'm missing, care to co-miserate, anything?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3984657#3984657

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3984657

More information about the jboss-user mailing list