[jboss-user] [Security & JAAS/JBoss] - Role Authorization problem with Custom Authenticator

brengl do-not-reply at jboss.com
Mon Dec 3 10:13:20 EST 2007


Hello, I am writing a custom Authenticator class that collects credentials from a Siteminder SMSESSION cookie. I created a security domain called CustomSMAuth and assigned the SimpleServerLoginModule to it. According to JBoss doc, this authenticator assigns a role of 'user' if the username and password are the same value. That is the behavior I'm trying to get. 

I can confirm that the Authenticator is executed and is working, but access is denied based on the user role authorization. I'm not sure if my authenticator class should be doing something different, or if I have a configuration issue with JBoss. Any help would be appreciated!

The authenticator, after retrieving the userid value, does the following:

GenericPrincipal userPrincipal = new GenericPrincipal(context.getRealm(), userid.trim(),userid.trim());
			session.setAttribute(Constants.SESS_USERNAME_NOTE, userPrincipal);
			request.setUserPrincipal(userPrincipal);
			register(request, response, userPrincipal, "SMSESSION", userid.trim(), userid.trim());
			return true;

my web.xml:

<security-constraint>         
          <web-resource-collection>     
            <web-resource-name>Success</web-resource-name>      
            <url-pattern>/*</url-pattern>       
            <http-method>GET</http-method>   
            <http-method>POST</http-method>     
          </web-resource-collection> 

         <auth-constraint>     
            <role-name>user</role-name> 
         </auth-constraint>  

    </security-constraint>   
                   
  
    <login-config>
	    <auth-method>SMSESSION</auth-method>
    </login-config>
 
     <security-role>
     	<role-name>user</role-name>
    </security-role>


jboss-web.xml:

<jboss-web>
      <security-domain>java:/jaas/CustomSMAuth</security-domain>
</jboss-web>


login-config.xml:
    <application-policy name="CustomSMAuth">
       
        <login-module code = "org.jboss.security.auth.spi.SimpleServerLoginModule"
	             flag = "required">
	  </login-module>
       
    </application-policy>


and the log excerpt showing output from my authenticator and the authorization failure:

2007-12-03 09:54:44,518 DEBUG [com.sas.smutil.SMSESSIONAuthenticator] Login return code: 1
2007-12-03 09:54:44,518 DEBUG [com.sas.smutil.SMSESSIONAuthenticator] Validation Accepted, setting user principal
2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'sasdemo' with type 'SMSESSION'
2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling accessControl()
2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[sasdemo()]
2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.realm.RealmBase] Username sasdemo does NOT have role user
2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found:  user
2007-12-03 09:54:44,533 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking for all roles mode: authOnly
2007-12-03 09:54:44,533 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Failed accessControl() test
2007-12-03 09:54:44,533 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---------------------------------------------------------------
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]           authType=SMSESSION
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]      contentLength=-1
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]        contentType=text/html;charset=utf-8
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             cookie=JSESSIONID=6F898FB15DD78EC4EEBC503B5593873C; domain=null; path=/
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=Pragma=No-cache
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=Cache-Control=no-cache
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=Expires=Wed, 31 Dec 1969 19:00:00 EST
2007-12-03 09:54:44,533 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=Set-Cookie=JSESSIONID=6F898FB15DD78EC4EEBC503B5593873C; Path=/
2007-12-03 09:54:44,549 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]            message=Access to the requested resource has been denied
2007-12-03 09:54:44,549 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]         remoteUser=sasdemo
2007-12-03 09:54:44,549 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             status=403
2007-12-03 09:54:44,549 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ===============================================================


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4109878#4109878

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4109878



More information about the jboss-user mailing list