This week's book giveaway is in the Performance forum.
We're giving away four copies of The Java Performance Companion and have Charlie Hunt, Monica Beckwith, Poonam Parhar, & Bengt Rutisson on-line!
See this thread for details.
Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JAAS With JBOSS: My How-To Tutorial

 
Robert Paris
Ranch Hand
Posts: 585
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are a few different steps to get JAAS Auth to work in JBoss:
LOGIN CODE
-------------------

JBOSS EJB_DESCRIPTOR INFO
---------------------------------------------

JBOSS CONFIGURATIONS
------------------------------------

NEEDED TO COMPILE AND RUN CLIENT
---------------------------------------------------------
NOTE: you will need these jars for BOTH compiling AND running THE CLIENT
//ALL CLIENT JARS
${JBOSS_HOME}/client/*.jar
//THIS IS THE KEY!!! THIS IS THE JAR THEY DON'T TELL YOU
//ABOUT, BUT THAT HAS THE JAAS CLASSES!!!
${JBOSS_HOME}/server/all/lib/jbosssx.jar
RUNTIME SYSTEM PROPERTIES FOR CLIENT - REQUIRED
----------------------------------------------------------------
//NOTE: ALL THESE ARE FOR RUNNING THE CLIENT!!!
-Djava.security.manager
//I WILL GIVE YOU WHAT THIS FILE MUST CONTAIN
-Djava.security.auth.login.config=auth.conf
//I WILL GIVE YOU A SAMPLE OF THIS, JUST FOR TESTING
-Djava.security.policy=ourtest.policy
-Djava.security.auth.policy=ourtest.policy
CONFIG FILE (FOR CLIENT): auth.conf
------------------------------------------------------

POLICY FILE (FOR CLIENT): ourtest.policy
-----------------------------------------------------------

OK, I believe that's all you need! I think that the class for using a properties file for a login usernames/passwords is: org.jboss.security.ClientLoginModule. So if you don't want to use the database for your tests, replace all the DB Module classes listed in the files above with this one.

OK, I spent alot of time putting this together because i know it stinks to not be able to find it anywhere. i went through it myself and i don't want anyone else to be frustrated. All I ask is this:
1. Anytime you are searching for the answer to how to do something and alot of people also want to know, and then you come up with the answer - POST IT!!
2. I need to know how to use resource-env-ref or resource-ref with Jetty (only Jetty). Anyone who knows, please post it for me! Thanks!
Robert
[ January 27, 2003: Message edited by: Robert Paris ]
[ January 17, 2004: Message edited by: Robert Paris ]
 
Thomas Paul
mister krabs
Ranch Hand
Posts: 13974
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why don't you write this up as an article and we'll put it in the JavaRanch newsletter.
 
Robert Paris
Ranch Hand
Posts: 585
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Will do! Couple Questions:
1. Is there a basic format you'd like me to follow?
2. Where do I send the article when I finish it?
3. What about source code? I did not include a complete working version there (for example I used a database auth version, but didn't include my code for getting that to work. I can include that no problem in the article)
4. What about updates to the article/source code? In other words - I have time right now to create a full working version with MS SQL Server as the database, but no time to do that plus a MySQL version, properties version, etc. However, I could every now and then add those versions when I have free time. Is this possible?
Thanks!
 
Lee Barney
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have tried following your example here using mysql. When I add the following code to login-config.xml as suggested
<application-policy name="EJBSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/MySqlDS</module-option>
<module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option>
<module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?<module-option>
<login-module>
</authentication>
</application-policy>
I get the following error on starting JBoss
09:12:42,087 WARN [XMLLoginConfigImpl] Failed to load config: file:/Applications/jboss-3.0.6/server/default/conf/login-config.xml
org.jboss.security.auth.login.ParseException: Encountered "<?xml" at line 1, column 1.
Was expecting one of:
<EOF>
<IDENTIFIER> ...

What am I doing wrong in following your example?
Thanks
 
Robert Paris
Ranch Hand
Posts: 585
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, you see this line:
<module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option>
You never CLOSE the module-option. You have the same problem for the next one as well.
 
Georg Gruetter
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there,
I got the exact same error message as Lee posted previously. It is definitely not a syntax problem with my login-config.xml. I validated it against its DTD without any errors. Anyway, the error message doesn't seem to make much sense - what is wrong with an xml file beginning with <?xml verison=....>? I'd appreciate any recommendations you might have.
Cheers
Georg
 
Georg Gruetter
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, after spending the better half of the day browsing forums and experimenting, I found the solution to the problem. To be able to propagate the authenticated principal to the EJB-Container from a Java-Client (e.g. JUnit) my auth.conf entry now looks as follows:
LineSecurityDomain {
org.jboss.security.auth.spi.UsersRolesLoginModule required;
org.jboss.security.ClientLoginModule required;
};
As stated in the JBoss documentation, the ClientLoginModule is responsible for propagating the principal! It did only work by incorporating the entry in the LineSecurityDomain configuration! Using the following approach didn't work.
LineSecurityDomain {
org.jboss.security.auth.spi.UsersRolesLoginModule required;
};
other {
org.jboss.security.ClientLoginModule required;
}
Hope this helps!
Georg
 
Brian DeCamp
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please note: Although the above description is better than anything I've found on JBoss' website and documentation. There are at least a few bugs in it. The code that reads:

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"><!-- This tells it where to find the MS SQL Server DataSource that provides the usernames/passwords. Don't get me started on what a pain that was to set up (although alot LESS of a pain than JAAS and Database login--><module-option name="dsJndiName">java:/MSQLDS</module-option><!-- This depends on how your DB is structured --><module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option><module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?<module-option><login-module>

Should read:
<application-policy name="EJBSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<!-- This tells it where to find the MS SQL Server DataSource that provides
the usernames/passwords. Don't get me started on what a pain that was to
set up (although alot LESS of a pain than JAAS and Database login
-->
<module-option name="dsJndiName">java:/MSQLDS</module-option>
<!-- This depends on how your DB is structured -->
<module-option name="principalsQuery">Select passwd from Users where username = ?</module-option>
<module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?</module-option>
</login-module>
</authentication>
</application-policy>
There are three tags that need to be properly closed (two module-option tags and the login-module tag) and a couple ill-defined attributes. All of these errors result in the unhelpful XML parse diagnostic about the <?xml identifier.
Still trying to log in!! :roll:
 
Chris Pearson
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Did you ever get a chance to log in? I am having problems with the above example, such as why a Prinicpal class was created in the login and what client needs to be compiled?? Any help would be appreciated.
And is this written up somewhere? I looked for a newsletter but have not found one.
Thanks,
Chris
 
Tom Marrs
Author
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Robert,
You rock!!! I was in desperate need of a solution to this problem and your tutorial gave me most of what I needed. I had to make a few corrections for JBoss 3.2.5. If you'd like, I could post them. You saved me from a disaster - I needed to make this work so I could teach an EJB class on JBoss. Thanks again.

Tom Marrs
 
Luctor Emergo
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Finally I think Im on the right track here. Did you ever get to create a complete example? Id love to have that, cause Ive been banging my head against the wall the last couple of decades it feels like.

And I totally agree. POST THE SOLUTION WHEN YOU FIND IT. So other people dont have to bang their head till it cracks.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic