[jboss-user] [Security & JAAS/JBoss] - Authentication in ejb container fails to use security domain

clin1 do-not-reply at jboss.com
Thu Jun 11 00:59:08 EDT 2009


We found this problem when moving from JBoss 4 to JBoss 5.0.1.

Here is the server.log:

2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) Creating SDC for domain=CLIENT_LOGIN_MODULE
2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler at 1298c7d
2009-06-10 21:15:16,822 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy at c677a7
2009-06-10 21:15:16,822 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy at c677a7
2009-06-10 21:15:16,838 ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
	at org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)
	at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
	at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
	at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
	at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
	at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
	at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
	at org.jboss.security.javaee.EJBAuthenticationHelper.isValid(EJBAuthenticationHelper.java:87)
	at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:543)
	at org.jboss.ejb.plugins.SecurityActions$13.run(SecurityActions.java:540)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.jboss.ejb.plugins.SecurityActions.isValid(SecurityActions.java:539)
	at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:314)
	at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
	at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
	at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
	at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
	at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
	at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
	at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
	at org.jboss.ejb.Container.invoke(Container.java:1046)
	at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
	at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
	at $Proxy120.create(Unknown Source)
	at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
	at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
	at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:396)
	at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
	at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
	at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
	at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
	at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
	at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
	at java.lang.Thread.run(Thread.java:619)
2009-06-10 21:15:16,853 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (http-0.0.0.0-8080-1) Error in Security Interceptor
java.lang.SecurityException: Authentication exception, principal=CEAdmin
	at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
	at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
	at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
	at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
	at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
	at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
	at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
	at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
	at org.jboss.ejb.Container.invoke(Container.java:1046)
	at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
	at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
	at $Proxy120.create(Unknown Source)
	at com.filenet.apiimpl.transport.ejb.EnginePortFactory.create(EnginePortFactory.java:36)
	at com.filenet.apiimpl.wsi.ServerHelperNst.getEnginePort(ServerHelperNst.java:90)
	at com.filenet.apiimpl.wsi.ServiceSessionNst$1.run(ServiceSessionNst.java:1050)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:396)
	at com.filenet.apiimpl.authentication.util.J2EEAuthnUtil.runAs(J2EEAuthnUtil.java:533)
	at com.filenet.apiimpl.authentication.util.J2EEAuthnUtilJB.runAs(J2EEAuthnUtilJB.java:280)
	at com.filenet.apiimpl.util.J2EEUtilJB.doAs(J2EEUtilJB.java:103)
	at com.filenet.apiimpl.wsi.ServiceSessionNst.makeServerInternalEJBCall(ServiceSessionNst.java:961)
	at com.filenet.apiimpl.wsi.ServiceSessionNst.incomingRequestToServer(ServiceSessionNst.java:917)
	at com.filenet.engine.wsi.ListenerNst.service(ListenerNst.java:101)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
	at java.lang.Thread.run(Thread.java:619)

The jboss.xml file in our server ejb's META-INF:

<?xml version="1.0"?>
   
    <enterprise-beans>
        
            <ejb-name>Engine</ejb-name>
	        <jndi-name>FileNet/Engine</jndi-name>
            <local-jndi-name>FileNet/Local/Engine</local-jndi-name>
        
        
            <ejb-name>EngineCore</ejb-name>
            <local-jndi-name>FileNet/Local/EngineCore</local-jndi-name>
        
        
            <ejb-name>EngineContent</ejb-name>
	        <jndi-name>FileNet/EngineContent</jndi-name>
            <local-jndi-name>FileNet/Local/EngineContent</local-jndi-name>
        
        
            <ejb-name>EngineContentCore</ejb-name>
            <local-jndi-name>FileNet/Local/EngineContentCore</local-jndi-name>
        
    </enterprise-beans>
	<container-configurations>
        <container-configuration>
            <container-name>Standard Stateless SessionBean</container-name>
	        <security-domain>java:/jaas/FileNet</security-domain>
        </container-configuration>
    </container-configurations>


In JBoss 5.0.1, we found that the SecurityInterceptor correctly retrieved the security domain from jboss.xml.  However, when it is inside EJBAuthenticationHelper.isValid() the security domain is "CLIENT_LOGIN_MODULE".

Since there is no "CLIENT_LOGIN_MODULE" application-policy defined in our login-config.xml file, it falls back to "other" and executes the wrong login module - UsersRolesLoginModule.

Does anyone know why the security domain override via jboss.xml is not working in JBoss 5?
How do we get the ejb authentication to use "FileNet" as specified in the jboss.xml?

We tried adding <security-domain>java:/jaas/FileNet</security-domain> as a top level element in jboss.xml to no avail.

Does anyone experience the same issue when migrating from JBoss 4 to 5?

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4236880#4236880

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4236880



More information about the jboss-user mailing list