[jboss-user] [JBoss Seam] - Seam security with JAAS config

pdpantages do-not-reply at jboss.com
Thu Mar 1 18:08:47 EST 2007 

Hello Forum, 

seam 1.1.6.GA
jboss-4.0.5.GA
ajax4jsf-1.0.6
Facelets

I am trying out the new seam security.

I want to use the JAAS security as described in sec. 12.2.5.1 of the ref manual.

I would like to know if there is a working example anywhere I could look at.

What I have tried is:   

We have our own policy & I have set the jaas-config-name accordingly.
Note that I saw the bug report about the documentation and am using
"jaas-config-name" instead of "jaasConfigName".

In my components.xml I have the following:

  |    <security:identity jaas-config-name="centina"/>
  | 

My login action authenticates like so:

  | ....
  | identity.setUsername(j_username);
  | identity.setPassword(j_password);
  | log.debug( "LoginAction: Identity Login result " + identity.login() ) ;
  | ....
  | 

I removed the login-config an security-constraint tags from my web.xml
My web.xml now contains no JAAS security stuff in it.

When I give it a try, I find that the initial authentication works, calling our 
authenticator as expected, & the identity.login() returns "success".

But the next call I make fails (see exception, below). This seems to
be due to the authentication prinicplal not being saved anywhere? The stack trace
shows a re-authentication attempt. 

I looked at the source for JBossSecurityMgrRealm etc., to see how
"they did it" and noticed the following is executed if the
authentication passes:  ( line 494 )

  |     ...
  |     SecurityAssociationActions.setPrincipalInfo(principal, certs,subject); 
  |     . ..
  |  

The Seam Identity object does not do this (explicity anyway) as far as
I can tell.

I tried to call SecurityAssociationActions.setPrincipalInfo() myself
after my authentication, in my login action, but can't do so as the
class is not public. I suppose that this really means I shouldn't try to
do it this way :)
 
I get the following failure. This exception is thrown because the
username passed in is null. The username is normally set by  
UsernamePasswordLoginModule.getUsernameAndPassword() via callback
functions.

Anyway, my exception is:

  | javax.security.auth.login.LoginException: No username specified
  |         at centina.sa.server.security.SecurityManagerLoginModule.createIdentity(SecurityManagerLoginModule.java:59)
  |         at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:194)
  |         at centina.sa.server.security.SecurityManagerLoginModule.login(SecurityManagerLoginModule.java:126)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  |         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:585)
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
  |         at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
  |         at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
  |         at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
  |         at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102)
  |         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  |         at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
  |         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  |         at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
  |         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  |         at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:211)
  |         at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:79)
  |         at $Proxy1105.getUser(Unknown Source)
  |         .....
  | 

Here is the Thread.dumpStack() of the successful authentication by the Identity.login() method:

  | java.lang.Exception: Stack trace
  | 	at java.lang.Thread.dumpStack(Thread.java:1158)
  | 	at centina.sa.server.security.SecurityManager.completeLogin(SecurityManager.java:507)
  | 	at centina.sa.server.security.SecurityManagerLoginModule.commit(SecurityManagerLoginModule.java:180)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  | 	at java.lang.reflect.Method.invoke(Method.java:585)
  | 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  | 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  | 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  | 	at java.security.AccessController.doPrivileged(Native Method)
  | 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  | 	at javax.security.auth.login.LoginContext.login(LoginContext.java:580)
  | 	at org.jboss.seam.security.Identity.authenticate(Identity.java:206)
  | 	at org.jboss.seam.security.Identity.authenticate(Identity.java:199)
  | 	at org.jboss.seam.security.Identity.login(Identity.java:184)
  | 	at centina.sa.client.session.LoginAction.login(LoginAction.java:158)
  |         .....
  | 


Any ideas (esp. an example) would be much appreciated.

Thanks, PdP

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024493#4024493

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4024493

More information about the jboss-user mailing list