[jboss-user] [Security & JAAS/JBoss] - Re: Repeated calls to LoginModule for EJB authentication
brownjamese
do-not-reply at jboss.com
Thu Feb 8 14:51:52 EST 2007
Interesting and odd log entries - especially since I don't know what a good "run" should look like. I followed the security FAQ and added the necessary log4j config entries. After trundling through the info, I still see:
* multiple access to the login module's login() method; and
* inserts into the cache with different subject reference Id
For example, I see the actual login:
| 2007-02-08 14:58:03,121 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null
| 2007-02-08 14:58:03,322 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true
| 2007-02-08 14:58:03,322 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: U174791 is authenticated
| 2007-02-08 14:58:03,332 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
| Principal: Roles(members:xxx,yyy,zzz)
| Principal: U174791
| , sc=org.jboss.security.SecurityAssociation$SubjectContext at 7c7d85{principal=U174791,subject=18143033}
|
Then access to the next URL, where the "hit" on the web app checks (and finds) the subject in cache:
2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for SSO cookie
| 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for cached principal for D5612028A309EA8A4A5889D393B6251A
| 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Found cached principal 'U174791' with auth type 'FORM'
|
But then access from web-app to EJB to EJB in another ear (all with same jaas policy configured) produces:
| 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791
| 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 7aed3a{principal=U174791,subject=null}
| 2007-02-08 14:59:09,928 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
| 2007-02-08 14:59:09,958 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791
| 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject:
| Principal: Roles(members:xxx,yyy,zzz)
| Principal: U174791
| , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo at b05409[Subject(23167560).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791),credential.class=java.lang.String at 23438274,expirationTime=1170961028413], activeUsers=0
| 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject:
| Principal: Roles(members:xxx,yyy,zzz)
| Principal: U174791
| , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo at b05409[Subject(23167560).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791),credential.class=java.lang.String at 23438274,expirationTime=1170961028413]
| 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null
| 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, principal=U174791
| 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(acol-core-policy), size=10
| 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(acol-core-policy), authInfo=AppConfigurationEntry[]:
| [0]
| LoginModule Class: ca.acol.core.security.login.JBossLoginModule
| ControlFlag: LoginModuleControlFlag: sufficient
| Options:name=auth_ds, value=auth
|
| 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, lc=javax.security.auth.login.LoginContext at 1be9101, subject=Subject(2223107).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791)
| 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] updateCache, inputSubject=Subject(2223107).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791)
| 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 31ac05[Subject(17676813).principals=org.jboss.security.SimpleGroup at 28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal at 22316052(U174791),credential.class=java.lang.String at 23438274,expirationTime=1170961148415]
| 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true
| 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
| Principal: Roles(members:xxx,yyy,zzz)
| Principal: U174791
| , sc=org.jboss.security.SecurityAssociation$SubjectContext at 11492ed{principal=U174791,subject=28983194}
| 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
|
|
Just to clarify wars/jars/ears involved:
.ear
- .war - struts-based web application
- .jar - contains application-specific EJBs
payment.ear
- payment.jar - real-time payment interface
.war invokes .jar to perform custom workflow, including payment. Thus .jar calls EJBs in .jar.
Various incantations of security-domain have been used all with the same application policy. Log snippets above are from with .war and payment.jar with the security-domain set to acol-core-policy. I have tried adding the same security policy to .jar, but that just increases the number of re-authentication calls.
-- James
-
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4013244#4013244
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4013244
More information about the jboss-user
mailing list