Authentication on JBoss

Similar Messages

• Form-based authentication in JBoss using a database and JAAS

  I am trying to set up simple authentication using a database. I am initially trying to secure all web resources, since my application accesses the EJBs via servlets (and is working fine without security). Later I will tighten things down so that the EJB's business methods will also have security in place.
  It seems that everything is in place but I am unable to authenticate a user when I use a valid login/password combination (I am being redirected to the login error page). No exceptions appear in the JBoss console, and the database tables are populated with proper values. I'm clueless as to why this isn't working -- hopefully someone reading this can give me a clue as to what is going wrong.
  Here is what I have done so far:
  1) I have two tables in my database, one for the username and password, and another for roles. The database tables look like this:
  table name: principals
  column: principal_id VARCHAR(64) primary key
  column: password VARCHAR(64)
  table name: roles
  column: principal_id VARCHAR(64)
  column: user_role VARCHAR(64)
  column: role_group VARCHAR(64)
  2) I have added an entry in $JBOSS/server/default/conf/login-config.xml to declare an application policy which uses a DatabaseServerLoginModule. In this entry I have specified the SQl to be used by the module for selecting the password and role, following the example in the JBoss Getting Started Guide (p. 57):
      <!-- added for HIM Server security -->
      <application-policy name="HIM-client-login">
          <authentication>
              <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                            flag="required">
                  <module-option name="dsJndiName">java:/OracleDS</module-option>
                  <module-option name="principalsQuery">select password from principals where principal_id=?</module-option>
                  <module-option name="principalsQuery">select user_role, role_group from roles where principal_id=?</module-option>
              </login-module>
          </authentication>
      </application-policy>
       ...3) I have added a security domain entry in the jboss-web.xml file:
      <!-- All secure web resources will use this security domain -->
      <security-domain>java:/jaas/HIM-client-login</security-domain>
      ... 4) I have declared a security constraint in the web.xml file:
      <!-- security configuration -->
      <security-constraint>
          <display-name>Server Configuration Security Constraint</display-name>
          <!-- the collection of resources to which the sucurity constraint applies -->
          <web-resource-collection>
              <web-resource-name>Secure Resources</web-resource-name>
              <description>Security constraint for all resources</description>
              <!-- the pattern that this constraint applies to -->
              <url-pattern>/*</url-pattern>
              <!-- the HTTP methods that this constraint applies to -->
              <http-method>POST</http-method>
              <http-method>GET</http-method>
          </web-resource-collection>
          <!-- the user roles that should be permitted access to this resource collection -->
          <auth-constraint>
              <description>Only allow those users that are in the following role</description>
              <role-name>user</role-name>
          </auth-constraint>
          <!-- declare a transport guarantee, if any -->
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
      </security-constraint>
      ... 5) I have a simple login form (LoginForm.jsp) which encodes j_security_check:
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <html>
      <head>
          <title>HIM Client Login</title>
      </head>
      <body>
          <form method="POST"
                action='<%= response.encodeURL( "j_security_check" ) %>'>
              Username: <input type="text"
                               name="j_username"><br/>
              Password: <input type="password"
                               name="j_password"><br/>
              <br/>
              <input type="submit"
                     value="Login">
              <input type="reset"
                     value="Reset">
          </form>
      </body>
  </html>
      Can anyone see from the above that I have missed something, or that I have done something wrong ?
  Is there a way to get more information ? All I see in the access log file are logs of the requests for the servlet, j_security_check, and the login and error pages, and it might be helpful to have a little more information as to what is going on.
  Thanks in advance for any insight.
  -James

  Hi,
  I have exactly followed your configurations. However, I dont have the same database tables in my database. I used the following:
  <module-option name="principalsQuery">select password from s_users where username=?</module-option>
  <module-option name="rolesQuery">select role from s_users where username=?</module-option>However, when I try to logon I get the following error message from jboss:
  "ERROR [org.jboss.security.auth.spi.UsersRolesLoginModule] Failed to load users/passwords/role files
  java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found" although I do not want to use property files as I want to use the oracle database.
  Any help appreciated!

• Big problem :anything is accepted by form-based authentication on Jboss

  Hi there
  I'm new to form-based authentication. I've been stuck on this problem for one and a half day. I set up the form-based authentication(with JDBC realm) on JBoss 3.2/Tomcat 5.0. When I visit the protected area, it did ask me for password. But it accepts whatever I input and forwards the desired page, even when I input nothing and just click on submit, it allows me to go through. No error message at all. I am in desperate need for help.
  Here is my configuration. The web.xml is like this
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <display-name>LoginTest</display-name>
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>DELETE</http-method>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  </auth-constraint>
  <user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
  </security-constraint>
  <!-- Default login configuration uses form-based authentication -->
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>Manager security role</description>
  <role-name>manager</role-name>
  </security-role>
  </web-app>
  I also add the following JDBC realm definition into the server.xml which is under jboss/server/default/deploy/jbossweb-tomcat50.sar
  <Realm
  className="org.apache.catalina.realm.JDBCRealm" debug="1"
  driverName="org.gjt.mm.mysql.Driver"
  connectionURL="jdbc:mysql://myipdadress:3306/field_bak"
  connectionName="plankton"
  connectionPassword="plankton"
  userTable="users"
  userNameCol="user_name"
  userCredCol="user_pass"
  userRoleTable="user_roles"
  roleNameCol="role_name"
  />
  The JDBC realm is enclosed by the <engine> element. I checked the server log file, when the jboss server is started, it does load the mysql driver correctly and connect to mysql database fine. If I changed the IP of the mysql server to a non-existing one, then when I start jboss server, the server boot process will complain about connection to mysql faiure.
  I guess maybe the server doesn't do the authentication by connecting to mysql and verify it when I submit the log in form. It seems the JDBC realm authentication is bypassed. I notice that even I get rid of the JDBC realm definition from the server.xml file, and test the web application. It behaves exactly the same way. It asks me for password but anything will go through even nothing.
  Can anybody help me about this? I'm really stuck on this.
  Thanks a lot!

  By the way, I did create database"field_bak" and the tables for the JDBC realm verification.
  I also created the users and the roles.
  But it seems like Tomcat container doesn't do the JDBC realm authentication.

• Problem with JAAS authentication using jboss client

  I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
  I followed all the steps in:
  https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
  and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
  I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
  But when it tries to do the authentication, sometimes it uses:
  <b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
  Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
  Other times (withouth changing anything) it uses:
  <b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
  <b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
  I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
  I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
  I think it maybe has something to do with specific callback classes from sap implementation.
  Any idea? I can't go forward.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• Configuring basic authentication in Jboss - java.lang.SecurityException

  Hi All,
  I am a jboss newbie and need to a simple username/password challenge to pop up when someone accesses my web app deployed on jboss. I was looking at UsersRolesLoginModule. I am using jboss-3.2.3 with jetty-4.2.14.
  All I did was the following 3 things.
  1) server/MyServer/conf/login-conf.xml
  Code:
  <?xml version='1.0'?>
  <!DOCTYPE policy PUBLIC
  "-//JBoss//DTD JBOSS Security Config 3.0//EN"
  "http://www.jboss.org/j2ee/dtd/security_config.dtd">
  <policy>
  <application-policy name = "myUsersRolesModule">
  <authentication>
  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
  flag = "true" >
  <module-option name="hashAlgorithm">MD5</module-option>
  </login-module>
  </authentication>
  </application-policy>
  </policy>
  2) Create a users.properties file in the conf folder with the following entry.
  anand=kasi.
  3) Create a roles.properties file in the conf folder with the following entry
  anand=admin
  When Jboss starts up, I get the following exception.
  22:15:35,255 ERROR [PersistenceManager] Starting failed
  java.lang.SecurityException: Invalid authentication attempt, principal=null
  at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubjec
  t(BaseConnectionManager2.java:647)
  at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateC
  onnection(BaseConnectionManager2.java:476)
  Where do I set the principal. Is that the same as username????
  What am I not doing or doing wrong?? Any suggestions/pointers are highly appreciated. Any alternate solutions?? The simpler the better.
  Regards.
  Andy.

  You missing a option
  <module-option name="unauthenticatedIdentity">Anonymous</module-option>
  .

• Session expired message in form based authentication

  Hi, i m using JAAS form based authentication on jboss for our application and we want session expired message to show in the login form when it loads for authentication after session expired.
  do any one have any idea how to achive this as the application will never be able to detect that the session expired as it will always have a valid session available becoz ,When an HTTP session expires and the client makes a request to any secured resource, the JAAS subject will not be found for authorization. At this point, the security framework creates a new HTTP session, stores the target URL value in the session, and then redirects the user to the login page. After a successful login process, the user is forwarded back to the target page,
  but our Web applications may need to capture these session expiration events and show some custom message to the user.
  HTTP session listener doesn't work here as HTTP session listener does not allow you to create a new session.
  Thanks in advance

  ObSSOCookie does have session time data. Access Manager SDK can parse the cookie and can access it's own settings for max and idle session time.
  Trick is, once the user is logged out, the cookie is destroyed. I suspect there is no real practical way to do this.
  I have pondered the idea that you could use AJAX to communicate with a service that uses the SDK to return data about current session state - "You have 40 seconds left to get your form filled out, buddy! 39, 38, 37..."
  Oh to have that much free time... ;)
  Mark

• Custom SPNEGO Authenticator

  I'm working on developing a custom spnego authenticator to JBoss. I saw a client example in Advanced JGSS Security Programming. But I haven't found if it's possible to develop a program that accepts a browser's token spnego in the server side. Is it possible in Java 6?
  Thanks a lot!!

  http://dev2dev.bea.com/utilitiestools/security.html

• Bind authenticated Subject to container

  In a web application I use JAAS to authenticate users of the web application. When the authentication is successful, I retrieve the authenticated Subject from my LoginContext using the getSubject() method. As a result of the successful authentication, one or more Principal objects will be associated with this Subject.
  Here is the point: After the user has been authenticated, I want to use the isUserInRole() method to check whether the user possesses certain roles (i.e. Principal objects). However, in order to do so, the container which runs the web application (JBoss 4) must know about the authenticated Subject. In other words: Before I can use the isUserInRole() method, I must somehow bind the authenticated Subject to the container. Is there a way in which this can be accomplished?
  Note: I do not want to use container managed security by enabling FORM authentication in web.xml because this has as disadvantage that I lose the control over the authentication process (JBoss wil then under the hood instantiate a LoginContext object and there is no way, as far as I know, to obtain a reference to this LoginContext).
  Thanks for any help.
  Ronald

  We have a howto for custom login modules here:
  http://www.oracle.com/technology/tech/java/oc4j/1013/how_to/howtocustomjaasprovider/doc/howtocustomjaasprovider.html
  As far as adding a third field, I think this would be managed in a login module's callback handler. This is from our docs:
  A callback handler is a javax.security.auth.callback.CallbackHandler
  instance that allows a login module to interact with a user to obtain login information.
  The only method specified by CallbackHandler is the handle(Callback[])
  method, which takes an array of callbacks, which are instances of a class that
  implements the java.security.auth.callback.Callback interface. Callbacks
  do not retrieve or display requested information from the underlying security service,
  but simply provide the functionality to pass the requests to an application and, as
  applicable, to return the requested information back to the security service.
  Callback implementations in the javax.security.auth.callback package include: a
  name callback handler (NameCallback) to handle a user name, a password callback handler (PasswordCallback) to handle a password, and a text input callback
  handler (TextInputCallback) to handle any field in a login form other than a user
  name or password field.
  If authentication succeeds, then the authenticated subject can be retrieved by invoking
  the getSubject() method of the LoginContext instance.
  Different login modules can be configured with different applications, and a single
  application can use multiple login modules. The JAAS framework defines a two-phase
  authentication process to coordinate the login modules configured for an application.
  You would probably follow these steps:
  1. Create a LoginContext
  2. Pass the CallbackHandlers to the LoginContext for gathering/processing authentication data
  3. Then authenticate by calling the LoginContext's login() method
  I think you can google examples of the TextInputHandler callback

• Achieving Security in J2EE

  Hi,
  I am not sure if a similar request has been posted on this site before. I have found plethora of information on the internet and have tried out many many things but in vain. I would appreciate if somebody ....anybody can provide some clarity on this.
  The client is a Non-browser based supports HTTP1.1 - an applications uses HTTP Client API to send HTTP requests. It doesnt have the feature of a pop-up window in its UI for any HTTP authentication that happens in an traditional browser to access an URL. It sends XML requests in its output streams to the servlets running in JBoss 4.0.1 server. Is it possible to have a connection established to HTTP1.1 Server with authentication & use this same connection for multiple requests untill the completion of the entire transactions of the application?
  The objective now is to provide authentication for the client which can send user name and password to the URL as an XML and also to keep track on the session for the user untill the end of the transactions.
  Many webpages mention about configuring the deployment descriptors namely web.xml , jboss-web.xml. I have tried creating the users.properties and roles.properties files and have religiously followed eveyrthing mentioned but in vain.
  Then, the approach of wirting the CustomLoginModule. I am not sure where these CustomLogin Modules should be placed. Are they servlets? I am not making use of LDAP to store any username/password ifnromation.
  Probably, my understanding about the way end-to-end system works is not clear.
  Given this scenario, can someone help me to obtain the desired authentication in Jboss webserver for the users? Presently, i have implemented application level authetication which is not to be considered as final & the requirement is to implement a secured way of authentication.
  Thanks in advance for your help.
  Regards

  If the server runs a dedicated application for this purpose, then it is okay to handle the authentication at the application level.
  I once wrote a "robot" to monitor a WEB application ment for browsers. It first "pulled" the login page's submit URL with the login parameters, searched the session information in the headers of the reply and provided them again with every following interaction. Thus a cookie-based interactive session was simulated by the robot.

• JBossWS 3 and authentification problem

  I downloaded and successfully installed jbossws-cxf-3.0.2.GA on my jboss 4.2.2.
  I am trying to do a simple authentification via a web service, exactly the way it is described in the following example [http://jbws.dyndns.org/mediawiki/index.php?title=Authentication|http://jbws.dyndns.org/mediawiki/index.php?title=Authentication]
  My jboss login-config is configured as in the example, I haven't changed anything.
  And here is my stack trace when I try to invoke web service method from my client.
  18:31:54,697 INFO  [ReflectionServiceFactoryBean] Creating Service {http://www.azry.com/WSProject}SecureService from WSDL: http://127.0.0.1:8080/WSProject/SecureService?wsdl
  18:31:54,728 INFO  [LoggingOutInterceptor] Outbound Message
  Encoding: UTF-8
  Headers: {Authorization=[Basic ZmVyZndlOmZ3ZWZ3ZWY=], SOAPAction=[""], Accept=[*]}
  Messages:
  Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:squareNumber xmlns:ns2="http://www.azry.com/WSProject"><a>8</a></ns2:squareNumber></soap:Body></soap:Envelope>
  18:31:54,759 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
  java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
       at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
       at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
       at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
       at java.lang.Thread.run(Thread.java:595)
  18:31:54,759 INFO  [PhaseInterceptorChain] Interceptor has thrown exception, unwinding now
  org.apache.cxf.interceptor.Fault: Could not send Message.
       at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
       at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
       at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
       at $Proxy123.squareNumber(Unknown Source)
       at com.azry.WSClient.SecureServiceConsumer.service(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: java.net.HttpRetryException: cannot retry due to server authentication, in streaming mode
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1008)
       at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:367)
       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1896)
       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1824)
       at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
       at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:159)
       at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
       at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:583)
       at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
       ... 26 moreHave anyone got this exception?

  I found my mistake, I was importing different annotation instead of importing org.jboss.annotation.security.SecurityDomain I imported something else. So when jboss can't find security domain, he uses "other" security domain that by itself uses the files that are in the exception, so that was the problem :).

• Authentication problem on JBOSS. Need help!

  I use jboss 3.0.3.
  My "auth.conf" file is:
  simple {
  org.jboss.security.ClientLoginModule required
       password-stacking="useFirstPass"
  Application policy in "login-config.xml" is
  <application-policy name="admin">
  <authentication>
  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
  <module-option name="unauthenticatedIdentity">guest</module-option>
  </login-module>
  </authentication>
  </application-policy>
  My "jboss.xml" is :
  <jboss>
  <enterprise-beans>
  <entity>
  <ejb-name>Sec1</ejb-name>
  <jndi-name>Sec1Remote</jndi-name>
  </entity>
  </enterprise-beans>
  <security-domain>java:/jaas/admin</security-domain>
  </jboss>
  File "users.properties" is :
  alexander=aaa
  File "roles.properties" is :
  alexander=admin
  Client code is :
  Properties properties = new Properties();
  properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
  properties.put(Context.PROVIDER_URL, "localhost:1099");//app server url
  properties.put(Context.SECURITY_PRINCIPAL, "admin");
  properties.put(Context.SECURITY_CREDENTIALS, "aaa");
  InitialContext ctx = new InitialContext(properties);
  Object ref = ctx.lookup("Sec1Remote");
  Sec1RemoteHome sec1RemoteHome = (Sec1RemoteHome) PortableRemoteObject.narrow(ref, Sec1RemoteHome.class);
  Sec1Remote sec1Remote = sec1RemoteHome.findByPrimaryKey("1");
  System.out.println(sec1Remote.getName());
  My "ejb-jar.xml" is:
  <ejb-jar>
  <enterprise-beans>
  <entity>
  <display-name>sec1</display-name>
  <ejb-name>Sec1</ejb-name>
  <home>untitled2.Sec1RemoteHome</home>
  <remote>untitled2.Sec1Remote</remote>
  <ejb-class>untitled2.Sec1Bean</ejb-class>
  <persistence-type>Bean</persistence-type>
  <prim-key-class>java.lang.String</prim-key-class>
  <reentrant>False</reentrant>
  <abstract-schema-name>Enterprise1</abstract-schema-name>
  <env-entry>
  <description />
  <env-entry-name>eee</env-entry-name>
  <env-entry-type>java.lang.String</env-entry-type>
  <env-entry-value>rrr</env-entry-value>
  </env-entry>
  <security-role-ref>
  <description />
  <role-name>admin</role-name>
  <role-link>admin</role-link>
  </security-role-ref>
  <security-identity>
  <description>aaa</description>
  <use-caller-identity />
  </security-identity>
  </entity>
  </enterprise-beans>
  <assembly-descriptor>
  <security-role>
  <description>admin</description>
  <role-name>admin</role-name>
  </security-role>
  <security-role>
  <description>System Manager</description>
  <role-name>manager</role-name>
  </security-role>
  <method-permission>
  <role-name>admin</role-name>
  <method>
  <description />
  <ejb-name>Sec1</ejb-name>
  <method-intf>Remote</method-intf>
  <method-name>getName</method-name>
  <method-params />
  </method>
  </method-permission>
  <method-permission>
  <unchecked />
  <method>
  <description />
  <ejb-name>Sec1</ejb-name>
  <method-intf>Home</method-intf>
  <method-name>findByPrimaryKey</method-name>
  <method-params>
  <method-param>java.lang.String</method-param>
  </method-params>
  </method>
  </method-permission>
  <container-transaction>
  <method>
  <ejb-name>Sec1</ejb-name>
  <method-name>*</method-name>
  </method>
  <trans-attribute>Required</trans-attribute>
  </container-transaction>
  </assembly-descriptor>
  </ejb-jar>
  When I try to run client's program, an error appeares:
  java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
       java.rmi.ServerException: EJBException:; nested exception is:
       javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
       Insufficient method permissions, principal=null, method=getName, interface=REMOTE, requiredRoles=[admin], principalRoles=[]
  I have no ideas, why it appeares? What's wrong?
  Help me, please... :(

  easy... your principal should be alexander, not admin

• JBoss 7 and BlazeDS Authentication

  Hi,
  Has anybody tried to set up Database authentication and BlazeDS though JBoss 7?
  I've performed steps I previously used with other versions but still getting the usual error;
  'There was an unhandled failure on the server. flex/messaging/security/TomcatLoginHolder'
  The truth is I feel like I'm stubbling around in the dark because JBoss 7 is so different to previous versions.
  Any help would be appreciated

  I found the answer for this;
  The trouble I was having was setting the tomcat valve in JBoss 7. Previously this was done in tomcat configuration files and is documented in BlazeDS docs.
  Now the configuration is achieved by;
  1) putting flex-tomcat-common.jar and flex-tomcat-server.jar in the WEB-INF/lib folder of your blazeds war and in the same war
  2) in your jboss-web.xml under WEB-INF the following content
  <jboss-web>
    <security-domain>yourSecurityDomain</security-domain>
    <valve>
          <class-name>flex.messaging.security.TomcatValve</class-name>
      </valve>
  </jboss-web>
  The blazeds configuration remains the same.

• JBoss authentication problem

  Hi all
  i am using jboss - UsernamepasswordLoginModule for username and password authentication. I want to know the way to restrict users after 3 bad logins.
  if user uses wrong password for three times successively then something should happen like he should not be able to login for next 30 minutes.
  It can be done in weblogic, but how to do it in jboss?
  thanx in advance.

  thanx but its not specified thereDid you read this part?:
  How do I configure security with JBoss ?
  JBoss uses JAAS for security. JBoss includes several JAAS login modules allowing applications to get their user info from LDAP servers, databases or property files (the last to simplify testing). There are also login modules for clients, so that they can send security information to the JBoss server. Note that an application that logs into JBoss must use JAAS to give user name and password. It is not possible to use the JNDI lookup information for that in JBoss. How to configure this is shown in chapter 8 of the free getting started guide.
  Did you check the "getting started guide"?
  Did you familiarize yourself with JAAS?
  Did you implement/configure a login module?
  Did you have a specific problem with the login module (errors, etc.)?
  Did you post this question at the JBoss Forum?
  Did you get an answer?
  Did you try anything at all about which you can post the details?
  Are you getting my point?

• Migration: Jboss 5.1 OpenLdap Authentication to WebLogic 10.3.3

  Hi,
  We are currently working on Migration project where we are trying to Migrate from Jboss 5.1 to WebLogic 10.3. In JBoss we had configured Realm as below in server.xml file:
  <Realm className="org.apache.catalina.realm.JNDIRealm"
  debug="99"
  connectionName="cn=Manager,dc=mycompany,dc=com"
  connectionPassword="XXXXXXX"
  connectionURL="ldap://XX.XX.XX.XXX:389"
  userPassword="userPassword"
  userPattern="uid={0},ou=people,dc=mycompany,dc=com"
  roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn"
  roleSearch="(uniqueMember={0})" />
  Also we have below configuration in web.xml for our Web Application
  <security-constraint>
       <display-name>Security Constraint</display-name>
       <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
            <role-name>manager</role-name>
       </auth-constraint>
  </security-constraint>
  <login-config>
       <auth-method>BASIC</auth-method>
  </login-config>
       <security-role>
            <role-name>manager</role-name>
       </security-role>
  Can you please let me know where I can do similar configuration in web logic 10.3?
  I know we can done this using Admin console but not sure which property from server.xml will mapped to which field in Web Logic conf.xml?

  Some notes about interoperating with different WebLogic server are provided here: http://docs.oracle.com/cd/E24329_01/web.1211/e24375/wls_interop.htm#i1121383
  One thing to note is that the default message mode has changed in 12c, from multicast to unicast:
  - http://docs.oracle.com/cd/E24329_01/web.1211/e24497/compat.htm#BABJFJCB
  http://middlewaremagic.com/weblogic/?p=7969

• JBOSS - authentication

  Hi
  I'm new to JBOSS. I want to implement a "Remember Me" feature. I'm using org.jboss.security.auth.spi.DatabaseServerLoginModule to authenticate user. The JSESSIONID cookie created is not persistent.
  can anyone Help?
  regards

  Hi
  I have come across the exact same problem when I upgraded from
  Jboss 3.0.8 to Jboss 3.2.5,
  In short I resolved this problem by editing the following file
  /default/deploy/jbossweb-tomcat50.sar/META-INF/jboss-service.xml
  and setting the following attribute to false
  <attribute name="UseJBossWebLoader">false</attribute>
  Basically, the problem arises from a bug in the JBoss class loader
  as I found that by default it uses the roles.properties and users.properties
  from the default/deploy/http-invoker.sar/invoker.war/WEB-INF/classes/
  directory.
  Also see the following:-
  http://www.mail-archive.com/[email protected]/msg47128.html
  which suggests that if you have your own .war deployments then it is totally random which
  roles.properties/ users.properties the class loader uses.
  In summary setting the above attribute to false means that Jboss will not use its
  own unified class loader as the class loader but the tomcat specific class loader
  instead.
  After setting this, suddenly my roles.properties/ users.properties from
  within my default/conf directory were being recognised and my logins
  were successful
  Hope this helps