[jboss-user] [Security & JAAS/JBoss] - JAAS Security conversion from WebSphereAS to JBossAS
plscstx
do-not-reply at jboss.com
Thu Feb 7 14:53:05 EST 2008
JBoss Team --
I am trying to convert an application using JAAS on WebSphere to be using JAAS on JBoss.
I have been reviewing the documentation about JBossSX and the JBoss Security Integration Guide and counteless other documentation.
However, I feel like I am still missing some things.
1. The implementation in WebSphere contained a file named ibm-application-bnd.xmi that was located in the applicationEAR\META-INF folder.
An excerpt from that file follows. My first question is - Is there some file that I need to define like this for the JBoss configuration?
<?xml version="1.0" encoding="UTF-8"?>
<applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi" xmi:id="ApplicationBinding_1103565947194">
<authorizationTable xmi:id="AuthorizationTable_1103565947194">
<authorizations xmi:id="RoleAssignment_1108662566127">
<groups xmi:id="Group_1159457809140" name="App.Prod.~~~.BranchManager"/>
<groups xmi:id="Group_1159457809141" name="App.Prod.~~~.BranchManager"/>
<groups xmi:id="Group_1159457809142" name="App.Prod.~~~.BranchManager"/>
...
2. I have the JAAS connecting to the LDAP but I am having some problems with the LDAP properties.
Also, I still feel like I am missing something that tells the server how to match the LDAP groups to the role names
specified in the web.xml
So, with those questions asked here is my current setup:
the application's (located in the War's WEB-INF folder)
web.xml:
...
<security-constraint id="SecurityConstraint_1159792191999">
<display-name>Region Managers Resources</display-name>
<web-resource-collection id="WebResourceCollection_1159792191999">
<web-resource-name>Region Managers Resources</web-resource-name>
<url-pattern>/admin/regionMan/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792191999">
<role-name>BranchManager</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint id="SecurityConstraint_1159792192015">
<web-resource-collection id="WebResourceCollection_1159792192015">
<web-resource-name>Assign Assistants</web-resource-name>
<url-pattern>/admin/assistants/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792192031">
<role-name>BranchManager</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint id="SecurityConstraint_1159792192031">
<web-resource-collection id="WebResourceCollection_1159792192031">
<web-resource-name>Admin Resources</web-resource-name>
<url-pattern>/admin/reports/*</url-pattern>
<url-pattern>/admin/regionAdmin/*</url-pattern>
<url-pattern>/admin/siteAdmin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792192032">
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1159792192046">
<auth-method>FORM</auth-method>
<form-login-config id="FormLoginConfig_1159792192046">
<form-login-page>/redirectToLogin.jsp</form-login-page>
<form-error-page>/redirectToErrorLogin.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role id="SecurityRole_1112738942726">
<role-name>BranchManager</role-name>
</security-role>
<security-role id="SecurityRole_1112644368717">
<role-name>Admin</role-name>
</security-role>
...
the application's (located in the War's WEB-INF folder)
jboss-web.xml =
<?xml version="1.0"?>
<jboss-web>
<!-- All secured web content uses this security manager -->
<security-domain>java:/jaas/myAppAdmin</security-domain>
</jboss-web>
the server's
login-config.xml =
<application-policy name = "myAppAdmin">
<login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://server:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">username</module-option>
<module-option name="java.naming.security.credentials">password</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
</login-module>
</application-policy>
When I run the application, I am currently getting the following LDAP error:
Where I feel like I am still missing something is the fact that in WebSphere, we had to define an ibm-application-bnd.xmi file which looks like the below snippet. However, I am not sure where I would be putting this equivalent for the JBoss configuration.
2008-02-07 10:47:44,407 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /contextRoot/j_security_check
2008-02-07 10:47:44,423 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'pcable'
2008-02-07 10:47:44,423 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=pcable
2008-02-07 10:47:44,423 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader at ad0bd6
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader at ad0bd6
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader at ad0bd6
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.Proxy, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.UndeclaredThrowableException, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodError, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.InvocationHandler, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Name, false)
2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManager.contextRoot] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler at 47cfb2
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager at 94b150
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader at ad0bd6
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManager.contextRoot] CachePolicy set to: org.jboss.util.TimedCachePolicy at 4fe90
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy at 4fe90
2008-02-07 10:47:44,454 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added contextRoot, org.jboss.security.plugins.SecurityDomainContext at 550344 to map
2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager.contextRoot] Begin isValid, principal:pcable, cache info: null
2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager.contextRoot] defaultLogin, principal=pcable
2008-02-07 10:47:44,454 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(contextRoot), size=9
2008-02-07 10:47:44,454 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(contextRoot), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=uidAttributeID, value=sAMAccountName
name=java.naming.security.authentication, value=simple
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.credentials, value=password
name=matchOnUserDN, value=true
name=java.naming.provider.url, value=ldap://server:389
name=java.naming.security.principal, value=username
name=roleAttributeIsDN, value=false
name=roleAttributeID, value=memberOf
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.LdapLoginModule, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.LdapLoginModule)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader at ad0bd6
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@15024292
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: contextRoot
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1202402890709 sessioncount 0
2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:13,148 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=pcable, roleAttributeID=memberOf, matchOnUserDN=true, jboss.security.security_domain=contextRoot, java.naming.provider.url=ldap://server:389, roleAttributeIsDN=false, uidAttributeID=sAMAccountName, java.naming.security.authentication=simple, java.naming.security.credentials=***}
2008-02-07 10:48:13,148 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(com.sun.jndi.ldap.LdapCtxFactory, false)
2008-02-07 10:48:13,164 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad password for username=pcable
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
...
Yes, I do realize that the LDAP: error code 49 means that the username and/or password is incorrect.
I guess I am just wanting to validate my migration path so far and determine how the ibm-application-bnd.xmi information fits into the JBoss Security Setup.
Also, the login-config.xml - in the JBoss Security FAQ it says the <application-policy name="mydomain"> does the mydomain have to be the LDAP domain
or just some name that I make up that has to be the same text put in the jboss-web.xml so that they match up?
Any ideas?
Thanks
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127558#4127558
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127558
More information about the jboss-user
mailing list