From user-return-2538-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Wed Mar 08 12:43:51 2006 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 86667 invoked from network); 8 Mar 2006 12:43:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 8 Mar 2006 12:43:50 -0000 Received: (qmail 25009 invoked by uid 500); 8 Mar 2006 12:43:47 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 24979 invoked by uid 500); 8 Mar 2006 12:43:46 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 24968 invoked by uid 99); 8 Mar 2006 12:43:46 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Mar 2006 04:43:46 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of ammulder@gmail.com designates 66.249.92.204 as permitted sender) Received: from [66.249.92.204] (HELO uproxy.gmail.com) (66.249.92.204) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Mar 2006 04:43:45 -0800 Received: by uproxy.gmail.com with SMTP id m2so80727uge for ; Wed, 08 Mar 2006 04:43:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NQYP5F0lrwRWMdwrTV9wBLiJ0T0Pz6qo4aBHs2ET26YvXRruoSIG5xMk55B7D7T+c7mc8QSdmggrGSaxHiKEUKyctireUvWgKDBSPSJjdMRytiN7aFtgJh+jAHlBFXSQX46b5krJhN5MMyzs3oL7YXAhu2x19CGakc7jefwuEG0= Received: by 10.67.31.1 with SMTP id i1mr414004ugj; Wed, 08 Mar 2006 04:43:23 -0800 (PST) Received: by 10.67.15.17 with HTTP; Wed, 8 Mar 2006 04:43:23 -0800 (PST) Message-ID: <74e15baa0603080443j67803f54u6cbad555b6d5299a@mail.gmail.com> Date: Wed, 8 Mar 2006 07:43:23 -0500 From: "Aaron Mulder" Sender: ammulder@gmail.com To: user@geronimo.apache.org Subject: Re: Security Realm Error In-Reply-To: <440EAD80.3010201@integraas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <440D70FC.6020307@integraas.com> <22d56c4d0603070347y222efbb0rae86800ab6c338bf@mail.gmail.com> <440D75F4.2030003@integraas.com> <22d56c4d0603070423j4a81dceft5030417fa747254a@mail.gmail.com> <440D7C2A.1090705@integraas.com> <22d56c4d0603070437r1f4b8dd3tff6c74531aa2a988@mail.gmail.com> <440D90DE.7080402@integraas.com> <440EAD80.3010201@integraas.com> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I think that UnsupportedCallbackException is kind of expected. If I remember right, we call the login module once just to establish what callbacks it wants, and we call it a second time to do the actual login. So the fact that it gets called once and an exception is thrown should be OK, just don't do anything hasty. When it gets called the second time the login should work. Now, looking back at your web app plan, I see this: That doesn't actually map any user to any J2EE roles. In other words, no logins are treated as members of the IBMS J2EE role, so even if the login to the web app is valid, the user probably gets an access denied error. To fix, that, you need to list the login module principals that should be members of the J2EE role named IBMS, like this: So the combination of the principal class (com...IBMSRole) and principal name (some-principal-name) should uniquely identify a principal returned by the login module. (e.g. some modules return both user principals and group principals and a particular login may get some of both, and there could be users and groups with the same name like 'administrator'). You can list more than one role in the role-mapping section and more than one principal in each role section if you want to do more extensive mapping (e.g. 2 users and 3 groups should all count as members of the "IBMS" role). For more details, you can look at: http://chariotsolutions.com/geronimo/web-plan.html#web-plan-security Particularly example 11.5. Thanks, Aaron On 3/8/06, Yeray Cabrera wrote: > Hi, > > I'm still having trouble deploying the security realm. The realm itself = is > now deployed, but when trying to authenticate a user at the webapp I'm > getting an UnsupportedCallbackException. > > Actually I'm tracing it and it calls the LoginModule's login() method > twice. The first time it throws the exception but the second one it does > pass back the username and password through the callbacks. > > The module and the webapp are working fine inside a stand-alone Tomcat. = Any > directions? > > Thanks, > > Yeray Cabrera > > > > Yeray Cabrera escribi=F3: > Thanks Vamsavardhana! > > It's running fine. > > But I had trying to deploy the security realm configuration plan by comm= and > line and it did not run. Now I deploy the security realm configuration pl= an > by web console. > > Thanks > > Yeray Cabrera > > Vamsavardhana Reddy escribi=F3: > Hi Yeray, > > The dependency you have included in geronimo-web.xml needs to go into th= is > security realm configuration plan. You do not need that dependency tag i= n > geronimo-web.xml > > Uninstall the configuration "SecurityRealm-ibms" from application > management portlets. Create a security realm plan xml separately. You c= an > simply add the dependency tag to the security realm plan you have sent > earlier and deploy this newly created plan. > > Vamsi > > > On 3/7/06, Yeray Cabrera wrote: > > > > This is the deployment plan: > > > > xmlns=3D"http://geronimo.apache.org/xml/ns/deployment-1.0"> > > class=3D"org.apache.geronimo.security.realm.GenericSecurityRealm"> > > ibms > > > > > geronimo.server:J2EEApplication=3Dnull,J2EEModule=3Dgeronimo/= j2ee-system/1.0/car,J2EEServer=3Dgeronimo,j2eeType=3DGBean,name=3DServerInf= o > > > > > > > geronimo.server:J2EEApplication=3Dnull,J2EEModule=3Dgeronimo/= j2ee-security/1.0/car,J2EEServer=3Dgeronimo,j2eeType=3DJaasLoginService,nam= e=3DJaasLoginService > > > > > > xmlns:log=3D"http://geronimo.apache.org/xml/ns/loginconfig-1.0"> > > server-side=3D"true" wrap-principals=3D"false"> > > > ibms > > > com.ias.ibms.auth.nullauth.NullAuthLogin > > > > > > > > > > > > > > > > Vamsavardhana Reddy escribi=F3: > > > > Yeray, > > > > Can you copy paste the plan for the security realm. To see the plan, > access the Security Realms portlet in Admin Console, Click on "edit" for = the > realm and click on "Show plan" button in the next page. > > > > -Vamsi > > > > On 3/7/06, Yeray Cabrera wrote: > > > > > > Hi Vamsavardhana, > > > > > > I used the wizard in Geronimo console and I see it=B4s "running" in > Security Realms menu > > > > > > I deployed with the following web.xml : > > > > > > > > > ..... > > > > > > FORM > > > Example Form-Based Authentication > Area > > > > > > > /login.vm > > > > /error.vm > > > > > > > > > > > > > > > IBMS > > > > > > > > > > > > IBMS > Security-Constraint > > > > > > Protected Area > > > administration/* > > > backoffice/* > > > hotel/* > > > maintenance/* > > > management/* > > > index/* > > > *.do > > > DELETE > > > GET > > > POST > > > PUT > > > > > > > > > IBMS > > > > > > > > > > > > > > > > > > Thanks, > > > > > > Yeray Cabrera > > > > > > > > > > > > Vamsavardhana Reddy escribi=F3: > > > > > > How is the Security Realm deployed? I don't see it is part of the we= b > application. > > > > > > -Vamsi > > > > > > > > > On 3/7/06, Yeray Cabrera wrote: > > > > > > > > Hi, > > > > > > > > I=B4m trying to deploy a War in Geronimo with my own Security Realm= . > > > > > > > > First, I add an entry in Common libraries (the jar containing my > classes) > > > > > > > > Next, I add a security realm. > > > > > > > > And finally, I deploy my a web app with the following deployment pl= an: > > > > > > > > > -------------------------------------------------------------------------= --------------------------------- > > > > > > > > > > > xmlns=3D"http://geronimo.apache.org/xml/ns/web" > > > > > xmlns:naming=3D"http://geronimo.apache.org/xml/ns/naming" > > > > configId=3D"ibms" > > > > parentId=3D"geronimo/j2ee-server/1.0/car"> > > > > > > > > > > > > ibms/ibmsauth/0.9.1/jar > > > > > > > > > > > > /ibms > > > > > true > > > > > > > > ibms > > > > > > > > > > > > > > > class=3D"com.ias.ibms.auth.IBMSRole" > > > > /> > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------= --------------------------------- > > > > > > > > The deploy is correct but when I try to access to my application , > occurs the following exception: > > > > > > > > > -------------------------------------------------------------------------= --------------------------------- > > > > 10:40:09,241 WARN [TomcatGeronimoRealm] Login exception > authenticating username "pancho" > > > > javax.security.auth.login.LoginException: > org.apache.geronimo.common.GeronimoSecurityException: > Unable to instantiate login module > > > > at > org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.get= LoginModule(JaasLoginModuleConfiguration.java:71) > > > > at > org.apache.geronimo.security.jaas.server.JaasSecuritySession.(JaasS= ecuritySession.java:64) > > > > at > org.apache.geronimo.security.jaas.server.JaasLoginService.initializeClien= t(JaasLoginService.java:353) > > > > at > org.apache.geronimo.security.jaas.server.JaasLoginService.connectToRealm(= JaasLoginService.java:169) > > > > at > org.apache.geronimo.security.jaas.server.JaasLoginService$$FastClassByCGL= IB$$95b84fc9.invoke() > > > > at > net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53) > > > > at > org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvo= ker.java:38) > > > > at > org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.ja= va:118) > > > > at > org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java= :800) > > > > at > org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57) > > > > at > org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationI= nvoker.java:36) > > > > at > org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMe= thodInterceptor.java:96) > > > > at > org.apache.geronimo.security.jaas.server.JaasLoginServiceMBean$$EnhancerB= yCGLIB$$901db4a3.connectToRealm() > > > > at > org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(JaasL= oginCoordinator.java:95) > > > > ... > > > > Caused by: java.lang.ClassNotFoundException: > com.ias.ibms.auth.nullauth.NullAuthLogin > > > > at java.net.URLClassLoader$1.run(URLClassLoader.java:200) > > > > at > java.security.AccessController.doPrivileged(Native Method) > > > > at > java.net.URLClassLoader.findClass(URLClassLoader.java:188) > > > > at java.lang.ClassLoader.loadClass(ClassLoader.java:306) > > > > at > org.apache.geronimo.kernel.config.MultiParentClassLoader.loadClass(MultiP= arentClassLoader.java:209) > > > > at java.lang.ClassLoader.loadClass(ClassLoader.java:251) > > > > at > org.apache.geronimo.security.jaas.server.JaasLoginModuleConfiguration.get= LoginModule(JaasLoginModuleConfiguration.java:69) > > > > ... 44 more > > > > > -------------------------------------------------------------------------= --------------------------------- > > > > > > > > Have somebody an idea,why the class is not found? I see it in commo= n > libraries > > > > > > > > Thanks, > > > > > > > > > > > > Yeray Cabrera > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Yeray Cabrera Santana > Integra Soluciones Avanzadas, S.L. > Tlf: +34928465203 > C/ Juan Dom=EDnguez P=E9rez 28, Urb El Sebadal > Las Palmas de Gran Canaria (35008) > SPAIN > >