[jbosstools-issues] [JBoss JIRA] Commented: (JBIDE-4421) jmx-invoker-service.xml server for DatabaseModuleLogin credentials not "accepted"
Rob Stryker (JIRA)
jira-events at lists.jboss.org
Wed Jun 24 02:56:56 EDT 2009
[ https://jira.jboss.org/jira/browse/JBIDE-4421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12473546#action_12473546 ]
Rob Stryker commented on JBIDE-4421:
------------------------------------
The code I'm executing to verify login credentials is accessing the JMX RMI adapter, NOT the JMX console. So anything you're doing to secure the JMX Console is (I believe) irrelevent.
The code used to do this is as follows:
// get our methods
Class simplePrincipal = Thread.currentThread()
.getContextClassLoader().loadClass(
IJBossServerConstants.CLASS_SIMPLE_PRINCIPAL);
Class securityAssoc = Thread.currentThread()
.getContextClassLoader().loadClass(
IJBossServerConstants.CLASS_SECURITY_ASSOCIATION);
securityAssoc.getMethods(); // force-init the methods since the
// class hasn't been initialized yet.
Constructor newSimplePrincipal = simplePrincipal
.getConstructor(new Class[] { String.class });
Object newPrincipalInstance = newSimplePrincipal
.newInstance(new Object[] { principal });
// set the principal
Method setPrincipalMethod = securityAssoc.getMethod(
IJBossServerConstants.METHOD_SET_PRINCIPAL,
new Class[] { Principal.class });
setPrincipalMethod.invoke(null,
new Object[] { newPrincipalInstance });
// set the credential
Method setCredentialMethod = securityAssoc.getMethod(
IJBossServerConstants.METHOD_SET_CREDENTIAL,
new Class[] { Object.class });
setCredentialMethod.invoke(null, new Object[] { credential });
Properties props = new Properties();
int port = jbs.getJNDIPort();
props.put(IJBossServerConstants.NAMING_FACTORY_KEY,
IJBossServerConstants.NAMING_FACTORY_VALUE);
props.put(IJBossServerConstants.NAMING_FACTORY_PKGS,
IJBossServerConstants.NAMING_FACTORY_INTERFACES);
props.put(IJBossServerConstants.NAMING_FACTORY_PROVIDER_URL,
"jnp://" + jbs.getHost() + ":" + port); //$NON-NLS-1$ //$NON-NLS-2$
props.put(IJBossServerConstants.JNP_DISABLE_DISCOVERY, new Boolean(true).booleanValue());
ic = new InitialContext(p);
Object obj = ic.lookup("jmx/invoker/RMIAdaptor");
ic.close();
Clearly I'm not doing anything weird or unusual... I'm loading via reflection the principal and SecurityAssociation classes, setting the username and password, and then passing it to the RMI Adapter. If the RMI Adapter is not accepting it, I find it very difficult to believe this would be the fault of the tooling.
> jmx-invoker-service.xml server for DatabaseModuleLogin credentials not "accepted"
> ---------------------------------------------------------------------------------
>
> Key: JBIDE-4421
> URL: https://jira.jboss.org/jira/browse/JBIDE-4421
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: JBossAS
> Affects Versions: 3.0.0.GA
> Reporter: Stelios Koussouris
> Assignee: Rob Stryker
> Priority: Minor
> Fix For: 3.1.0.M3
>
>
> Setup the following authentication policy
> <application-policy name="CLSIS-Security">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
> <module-option name="unauthenticatedIdentity">guest</module-option>
> <module-option name="dsJndiName">java:/DefaultDS</module-option>
> <!--module-option name="hashAlgorithm">MD5</module-option>
> <module-option name="hashEncoding">base64</module-option>
> <module-option name="principalsQuery">SELECT USER_PWD FROM WEB_USERS WHERE USER_ID=?</module-option>
> <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM WEB_ROLES WHERE USER_ID=?</module-option-->
> <module-option name = "principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
> <module-option name = "rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
> </login-module>
> </authentication>
> </application-policy>
> and for jmx-console.war set the jaas policy in jboss-web.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-web>
> <resource-ref>
> <res-ref-name>jdbc/DefaultDS</res-ref-name>
> <res-type>javax.sql.DataSource</res-type>
> <jndi-name>java:/DefaultDS</jndi-name>
> </resource-ref>
> <security-domain>java:/jaas/CLSIS-Security</security-domain>
> </jboss-web>
> finally setting the web-app with role "john" and user/pass guest/guest
> OPTION A: left deploy/jmx-invoker-service.xml unchanged with default policy "jmx-console"
> Back in JBDS,
> Open Server View
> Right click on server --> Open
> In Overview set the Server Credentials to admin/admin
> Start the server and all is well
> OPTION B: left deploy/jmx-invoker-service.xml change the policy to "CLSIS-Security"
> Back in JBDS,
> Open Server View
> Right click on server --> Open
> In Overview set the Server Credentials to admin/admin
> Start the server pop-up comes up asking for the correct credentials enter guest/guest and all is well
> OPTION B1: all as in OPTION B but
> In Overview set the Server Credentials to guest/guest
> Start the server and expect that since the correct credentials for the DB policy held in deploy/jmx-invoker-service.xml are given no pop-up will appear BUT
> pop-up appears pre-populated with guest/guest I enter guest/guest and it keeps popping up (why?) if I choose "ignore" it does so server starts and JMX-CONSOLE is available via http://localhost:8080/jmx-console but JBDS is showing in Server View next to the server "Starting .... Synchnonized"
> then after 450 secs the JBDS throws an error popup and the server stops (why?)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbosstools-issues
mailing list