geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yeray Cabrera <yeray.cabr...@integraas.com>
Subject Re: Security Realm Error
Date Tue, 14 Mar 2006 12:24:32 GMT
Hi,

You was right, I had an error in my user mapping. (Thanks Aaron)

But now ....
    The user login is ok,  but when I execute 
HttpServletRequest.isUserInRole("IBMS") in my code, it return false.
I debugged my code ...
    HttpServletRequest -- userPrincipal is present with the correct name 
and subjects but *roles* *is null*.

Any directions?

 Thanks,

     Yeray Cabrera



Aaron Mulder escribió:
> I think that UnsupportedCallbackException is kind of expected.  If I
> remember right, we call the login module once just to establish what
> callbacks it wants, and we call it a second time to do the actual
> login.  So the fact that it gets called once and an exception is
> thrown should be OK, just don't do anything hasty.  When it gets
> called the second time the login should work.
>
> Now, looking back at your web app plan, I see this:
>
>     <security>
>         <default-principal>
>             <principal name="anonymous"
>             class="com.ias.ibms.auth.IBMSRole"
>             />
>         </default-principal>
>     </security>
>
> That doesn't actually map any user to any J2EE roles.  In other words,
> no logins are treated as members of the IBMS J2EE role, so even if the
> login to the web app is valid, the user probably gets an access denied
> error.  To fix, that, you need to list the login module principals
> that should be members of the J2EE role named IBMS, like this:
>
>     <security>
>         <default-principal>
>             <principal name="anonymous"
>             class="com.ias.ibms.auth.IBMSRole"
>             />
>         </default-principal>
>         <role-mapping>
>           <role role-name="IBMS">
>             <principal name="some-principal-name"
>             class="com.ias.ibms.auth.IBMSRole"
>             />
>           </role>
>         </role-mapping>
>         </role>
>     </security>
>
> So the combination of the principal class (com...IBMSRole) and
> principal name (some-principal-name) should uniquely identify a
> principal returned by the login module.  (e.g. some modules return
> both user principals and group principals and a particular login may
> get some of both, and there could be users and groups with the same
> name like 'administrator').  You can list more than one role in the
> role-mapping section and more than one principal in each role section
> if you want to do more extensive mapping (e.g. 2 users and 3 groups
> should all count as members of the "IBMS" role).
>
> For more details, you can look at:
>
> http://chariotsolutions.com/geronimo/web-plan.html#web-plan-security
>
> Particularly example 11.5.
>
> Thanks,
>     Aaron
>
>
> On 3/8/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
>   
>>  Hi,
>>
>>  I'm still having trouble deploying the security realm. The realm itself is
>> now deployed, but when trying to authenticate a user at the webapp I'm
>> getting an UnsupportedCallbackException.
>>
>>  Actually I'm tracing it and it calls the LoginModule's login() method
>> twice. The first time it throws the exception but the second one it does
>> pass back the username and password through the callbacks.
>>
>>  The module and the webapp are working fine inside a stand-alone Tomcat. Any
>> directions?
>>
>>  Thanks,
>>
>>      Yeray Cabrera
>>
>>
>>
>>  Yeray Cabrera escribió:
>>  Thanks Vamsavardhana!
>>
>>  It's running fine.
>>
>>  But I had trying to deploy the security realm configuration plan by command
>> line and it did not run. Now I deploy the security realm configuration plan
>> by web console.
>>
>>  Thanks
>>
>>         Yeray Cabrera
>>
>>  Vamsavardhana Reddy escribió:
>> Hi Yeray,
>>
>>  The dependency you have included in geronimo-web.xml needs to go into this
>> security realm configuration plan.  You do not need that dependency tag in
>> geronimo-web.xml
>>
>>  Uninstall the configuration "SecurityRealm-ibms" from application
>> management portlets.  Create a security realm plan xml separately.  You can
>> simply add the dependency tag to the security realm plan you have sent
>> earlier and deploy this newly created plan.
>>
>>  Vamsi
>>
>>
>> On 3/7/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
>>     
>>> This is the deployment plan:
>>>
>>> <configuration configId="SecurityRealm-ibms"
>>>       
>> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
>>     
>>>     <gbean name="ibms"
>>>       
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>     
>>>         <attribute name="realmName">ibms</attribute>
>>>         <reference name="ServerInfo">
>>>
>>>       
>> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
>>     
>>>         </reference>
>>>         <reference name="LoginService">
>>>
>>>       
>> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
>>     
>>>         </reference>
>>>         <xml-reference name="LoginModuleConfiguration">
>>>             <log:login-config
>>>       
>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
>>     
>>>                 <log:login-module control-flag="REQUIRED"
>>>       
>> server-side="true" wrap-principals="false">
>>     
>> <log:login-domain-name>ibms</log:login-domain-name>
>>     
>> <log:login-module-class>com.ias.ibms.auth.nullauth.NullAuthLogin</log:login-module-class>
>>     
>>>                 </log:login-module>
>>>             </log:login-config>
>>>         </xml-reference>
>>>     </gbean>
>>> </configuration>
>>>
>>>
>>> Vamsavardhana Reddy escribió:
>>>
>>> Yeray,
>>>
>>> Can you copy paste the plan for the security realm.  To see the plan,
>>>       
>> access the Security Realms portlet in Admin Console, Click on "edit" for the
>> realm and click on "Show plan" button in the next page.
>>     
>>> -Vamsi
>>>
>>> On 3/7/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
>>>       
>>>> Hi Vamsavardhana,
>>>>
>>>> I used the wizard in Geronimo console and I see it´s "running" in
>>>>         
>> Security Realms menu
>>     
>>>> I deployed with the following web.xml :
>>>>
>>>> <web-app>
>>>> .....
>>>>      <login-config>
>>>>         <auth-method>FORM</auth-method>
>>>>           <realm-name>Example Form-Based Authentication
>>>>         
>> Area</realm-name>
>>     
>>>>           <form-login-config>
>>>>
>>>>         
>> <form-login-page>/login.vm</form-login-page>
>>     
>> <form-error-page>/error.vm</form-error-page>
>>     
>>>>          </form-login-config>
>>>>     </login-config>
>>>>
>>>>     <security-role>
>>>>       <role-name>IBMS</role-name>
>>>>      </security-role>
>>>>
>>>>     <security-constraint>
>>>>         <display-name>IBMS
>>>>         
>> Security-Constraint</display-name>
>>     
>>>>         <web-resource-collection>
>>>>             <web-resource-name>Protected Area</web-resource-name>
>>>>             <url-pattern>administration/*</url-pattern>
>>>>                <url-pattern>backoffice/*</url-pattern>
>>>>                <url-pattern>hotel/*</url-pattern>
>>>>                <url-pattern>maintenance/*</url-pattern>
>>>>                <url-pattern>management/*</url-pattern>
>>>>                <url-pattern>index/*</url-pattern>
>>>>                <url-pattern>*.do</url-pattern>
>>>>             <http-method>DELETE</http-method>
>>>>             <http-method>GET</http-method>
>>>>             <http-method>POST</http-method>
>>>>             <http-method>PUT</http-method>
>>>>         </web-resource-collection>
>>>>         <auth-constraint>
>>>>             <role-name>IBMS</role-name>
>>>>         </auth-constraint>
>>>>     </security-constraint>
>>>>
>>>> </web-app>
>>>>
>>>> Thanks,
>>>>
>>>>     Yeray Cabrera
>>>>
>>>>
>>>>
>>>> Vamsavardhana Reddy escribió:
>>>>
>>>> How is the Security Realm deployed?  I don't see it is part of the web
>>>>         
>> application.
>>     
>>>> -Vamsi
>>>>
>>>>
>>>> On 3/7/06, Yeray Cabrera <yeray.cabrera@integraas.com> wrote:
>>>>         
>>>>> Hi,
>>>>>
>>>>> I´m trying to deploy a War in Geronimo with my own Security Realm.
>>>>>
>>>>> First, I add an entry in Common libraries (the jar containing my
>>>>>           
>> classes)
>>     
>>>>> Next, I add a security realm.
>>>>>
>>>>> And finally, I deploy my a web app with the following deployment plan:
>>>>>
>>>>>
>>>>>           
>> ----------------------------------------------------------------------------------------------------------
>>     
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <web-app
>>>>>     xmlns="http://geronimo.apache.org/xml/ns/web"
>>>>>
>>>>>           
>> xmlns:naming="http://geronimo.apache.org/xml/ns/naming"
>>     
>>>>>     configId="ibms"
>>>>>     parentId="geronimo/j2ee-server/1.0/car">
>>>>>
>>>>>     <dependency>
>>>>>         <uri>ibms/ibmsauth/0.9.1/jar</uri>
>>>>>     </dependency>
>>>>>
>>>>>     <context-root>/ibms</context-root>
>>>>>
>>>>>           
>> <context-priority-classloader>true</context-priority-classloader>
>>     
>>>>>     <security-realm-name>ibms</security-realm-name>
>>>>>     <security>
>>>>>         <default-principal>
>>>>>             <principal name="anonymous"
>>>>>             class="com.ias.ibms.auth.IBMSRole"
>>>>>             />
>>>>>         </default-principal>
>>>>>     </security>
>>>>> </web-app>
>>>>>
>>>>>           
>> ----------------------------------------------------------------------------------------------------------
>>     
>>>>> The deploy is correct but when I try to access to my application ,
>>>>>           
>> occurs the following exception:
>>     
>>>>>           
>> ----------------------------------------------------------------------------------------------------------
>>     
>>>>> 10:40:09,241 WARN  [TomcatGeronimoRealm] Login exception
>>>>>           
>> authenticating username "pancho"
>>     
>>>>> javax.security.auth.login.LoginException:
>>>>>           
>> org.apache.geronimo.common.GeronimoSecurityException:
>> Unable to instantiate login module
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.getLoginModule(JaasLoginModuleConfiguration.java:71)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.server.JaasSecuritySession.<init>(JaasSecuritySession.java:64)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.server.JaasLoginService.initializeClient(JaasLoginService.java:353)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.server.JaasLoginService.connectToRealm(JaasLoginService.java:169)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.server.JaasLoginService$$FastClassByCGLIB$$95b84fc9.invoke(<generated>)
>>     
>>>>>         at
>>>>>           
>> net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:118)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:800)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:36)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.server.JaasLoginServiceMBean$$EnhancerByCGLIB$$901db4a3.connectToRealm(<generated>)
>>     
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(JaasLoginCoordinator.java:95)
>>     
>>>>> ...
>>>>> Caused by: java.lang.ClassNotFoundException:
>>>>>           
>> com.ias.ibms.auth.nullauth.NullAuthLogin
>>     
>>>>>         at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
>>>>>         at
>>>>>           
>> java.security.AccessController.doPrivileged(Native Method)
>>     
>>>>>         at
>>>>>           
>> java.net.URLClassLoader.findClass(URLClassLoader.java:188)
>>     
>>>>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
>>>>>         at
>>>>>           
>> org.apache.geronimo.kernel.config.MultiParentClassLoader.loadClass(MultiParentClassLoader.java:209)
>>     
>>>>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
>>>>>         at
>>>>>           
>> org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.getLoginModule(JaasLoginModuleConfiguration.java:69)
>>     
>>>>>         ... 44 more
>>>>>
>>>>>           
>> ----------------------------------------------------------------------------------------------------------
>>     
>>>>> Have somebody an idea,why the class is not found? I see it in common
>>>>>           
>> libraries
>>     
>>>>> Thanks,
>>>>>
>>>>>
>>>>>     Yeray Cabrera
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>           
>>>>         
>>>       
>>
>> --
>>  Yeray Cabrera Santana
>>  Integra Soluciones Avanzadas, S.L.
>>  Tlf: +34928465203
>>  C/ Juan Domínguez Pérez 28, Urb El Sebadal
>>  Las Palmas de Gran Canaria (35008)
>>  SPAIN
>>
>>
>>     
>
>   

Mime
View raw message