Jboss, JAAS, Spring -- working example?

[jkwon]

Hi,

I'm currently trying to configure, for prototyping purposes, the Acegi security system to work with a JBoss and JAAS deployment I currently have working. I'm just confused about several things at the moment:

-- In configuring the authenticationProvider as a JaasAuthenticationProvider, the API documentation seems to imply that the properties "loginConfig" and "loginContextName" point to JBoss's "auth.conf" and the module defined in that file. Is this correct? If that's the case, what about everything that is defined in JBoss's "login-config.xml" file?

-- If the loginConfig file really should be auth.conf, this leads me to another source of confusion. In my deployment, it doesn't really seem like auth.conf does anything. I can remove it entirely, and it doesn't affect anything so long as login-config.xml contains the correct security domain configuration information. In which case, what good does it do for me to have Acegi point to auth.conf when it seems to have no active role at all?

If someone has experience with a working example integrating Acegi, JBoss, and JAAS, that'd be great...

Thanks!

[RayKrueger]

I think your blending JAAS and JBoss a bit too much. JAAS is a stand alone API for Authentication and Authorization. JBoss supports Jaas in their own way.

If JBoss' auth.conf file is their JAAS configuration file, then yes, that is what the JaasAuthenticationProvider loginConfig property should be pointed at.

The contents of that file should look something like..

Code:

ConfigurationName {
    login.module.class.name required;
};

Where ConfigurationName is the value you would pass to the loginContextName property.


As for the auth.conf/login-config.xml thing...
If you have the JaasAuthenticationProvider.loginConfig pointed at auth.conf and you remove auth.conf, it should blow up when you try to start the webapp, or when you login. If it isn't blowing up, it would seem that your Acegi configuration is incorrect and JBoss is doing all the authentication work.

Also, it seems your using more JBoss than you are Jaas, you may want to look at the JBoss adapter. The JaasAuthenticationProvider is really designed for simple Jaas authentication, more-or-less alone.

[vincci]

I'm having some trouble that might be related to this message.

I'm working on using JaasAuthenticationProvider to have jaas(indeed SRP) login to a jboss application with Acegi. Looking at authenticate() in JaasAuthenticationProvider:

Code:

 LoginContext loginContext = new LoginContext(loginContextName,
                        new InternalCallbackHandler(auth));
                //Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point.
                loginContext.login();

loginContext.login() method in turns call Configuration.getConfiguration().
Then jboss's XMLLoginConfigImpl which implements Configuration is the configuration that's returned. And as a result, login-config.xml is the file the application looks for configuration information. And regardless of what loginConfig property i set in the bean, login-config.xml is being used. Am I supposed to write my own version of configuration and override loadConfig() method if i don't want this default behavior?

Thanks,
Vincci

[dhoffer]

Did you find a solution?

I too am having trouble configuring Spring Security with JAAS. I get the following error at startup.

14:09:25,549 INFO [STDOUT] ERROR - ContextLoader.initWebApplicationContext(214) | Context initialization failed
org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_rememberMeFilter' while setting bean property 'filters' with key [6]; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_rememberMeFilter': Cannot resolve reference to bean '_rememberMeServices' while setting bean property 'rememberMeServices'; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_rememberMeServices': Initialization of bean failed; nested exception is org.springframework.security.config.SecurityConfig urationException: No UserDetailsService registered.
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.doCreateBean(AbstractAu towireCapableBeanFactory.java:470)
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory$1.run(AbstractAutowireC apableBeanFactory.java:404)
at java.security.AccessController.doPrivileged(Native Method)
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.createBean(AbstractAuto wireCapableBeanFactory.java:375)
at org.springframework.beans.factory.support.Abstract BeanFactory$1.getObject(AbstractBeanFactory.java:2 63)
at org.springframework.beans.factory.support.DefaultS ingletonBeanRegistry.getSingleton(DefaultSingleton BeanRegistry.java:170)
at org.springframework.beans.factory.support.Abstract BeanFactory.doGetBean(AbstractBeanFactory.java:260 )
at org.springframework.beans.factory.support.Abstract BeanFactory.getBean(AbstractBeanFactory.java:184)
at org.springframework.beans.factory.support.Abstract BeanFactory.getBean(AbstractBeanFactory.java:163)
at org.springframework.beans.factory.support.DefaultL istableBeanFactory.preInstantiateSingletons(Defaul tListableBeanFactory.java:430)
at org.springframework.context.support.AbstractApplic ationContext.finishBeanFactoryInitialization(Abstr actApplicationContext.java:729)
at org.springframework.context.support.AbstractApplic ationContext.refresh(AbstractApplicationContext.ja va:381)
at org.springframework.web.context.ContextLoader.crea teWebApplicationContext(ContextLoader.java:254)
at org.springframework.web.context.ContextLoader.init WebApplicationContext(ContextLoader.java:198)
at org.springframework.web.context.ContextLoaderListe ner.contextInitialized(ContextLoaderListener.java: 45)
at org.apache.catalina.core.StandardContext.listenerS tart(StandardContext.java:3856)
at org.apache.catalina.core.StandardContext.start(Sta ndardContext.java:4361)
at org.apache.catalina.core.ContainerBase.addChildInt ernal(ContainerBase.java:790)
at org.apache.catalina.core.ContainerBase.addChild(Co ntainerBase.java:770)
at org.apache.catalina.core.StandardHost.addChild(Sta ndardHost.java:553)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.tomcat.util.modeler.BaseModelMBean.invo ke(BaseModelMBean.java:296)
at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDy namicInvoker.java:164)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanSe rverImpl.java:659)
at org.apache.catalina.core.StandardContext.init(Stan dardContext.java:5312)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.tomcat.util.modeler.BaseModelMBean.invo ke(BaseModelMBean.java:296)
at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDy namicInvoker.java:164)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanSe rverImpl.java:659)
at org.jboss.web.tomcat.service.TomcatDeployer.perfor mDeployInternal(TomcatDeployer.java:301)
at org.jboss.web.tomcat.service.TomcatDeployer.perfor mDeploy(TomcatDeployer.java:104)
at org.jboss.web.AbstractWebDeployer.start(AbstractWe bDeployer.java:375)
at org.jboss.web.WebModule.startModule(WebModule.java :83)
at org.jboss.web.WebModule.startService(WebModule.jav a:61)
at org.jboss.system.ServiceMBeanSupport.jbossInternal Start(ServiceMBeanSupport.java:289)
at org.jboss.system.ServiceMBeanSupport.jbossInternal Lifecycle(ServiceMBeanSupport.java:245)
at sun.reflect.GeneratedMethodAccessor3.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invok e(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation .java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.j ava:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(Ab stractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanSe rverImpl.java:659)
at org.jboss.system.ServiceController$ServiceProxy.in voke(ServiceController.java:978)
at $Proxy0.start(Unknown Source)
at org.jboss.system.ServiceController.start(ServiceCo ntroller.java:417)
at sun.reflect.GeneratedMethodAccessor9.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invok e(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation .java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.j ava:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(Ab stractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanSe rverImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyE xt.java:210)
at $Proxy44.start(Unknown Source)
at org.jboss.web.AbstractWebContainer.start(AbstractW ebContainer.java:466)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invok e(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation .java:94)
at org.jboss.mx.interceptor.AbstractInterceptor.invok e(AbstractInterceptor.java:133)
at org.jboss.mx.server.Invocation.invoke(Invocation.j ava:88)
at org.jboss.mx.interceptor.ModelMBeanOperationInterc eptor.invoke(ModelMBeanOperationInterceptor.java:1 42)
at org.jboss.mx.interceptor.DynamicInterceptor.invoke (DynamicInterceptor.java:97)
at org.jboss.system.InterceptorServiceMBeanSupport.in vokeNext(InterceptorServiceMBeanSupport.java:238)
at org.jboss.wsf.container.jboss42.DeployerIntercepto r.start(DeployerInterceptor.java:87)
at org.jboss.deployment.SubDeployerInterceptorSupport $XMBeanInterceptor.start(SubDeployerInterceptorSup port.java:188)
at org.jboss.deployment.SubDeployerInterceptor.invoke (SubDeployerInterceptor.java:95)
at org.jboss.mx.server.Invocation.invoke(Invocation.j ava:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(Ab stractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanSe rverImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyE xt.java:210)
at $Proxy45.start(Unknown Source)

[dhoffer]

I have gotten much further, Spring Security with JAAS works in Tomcat so I think my configuration is right. But it still doesn't work in JBoss.

Here are the details:

13:54:02,128 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role f
iles
java.io.IOException: No properties file: users.properties or defaults: defaultUs
ers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Ut il.java:315)
at org.jboss.security.auth.spi.UsersRolesLoginModule. loadUsers(UsersRole
sLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule. createUsers(UsersRo
lesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule. initialize(UsersRol
esLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(Logi nContext.java:756)
at javax.security.auth.login.LoginContext.access$000( LoginContext.java:1
86)
at javax.security.auth.login.LoginContext$4.run(Login Context.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv( LoginContext.java:6
80)
at javax.security.auth.login.LoginContext.login(Login Context.java:579)
at org.springframework.security.providers.jaas.JaasAu thenticationProvide
r.authenticate(JaasAuthenticationProvider.java:190 )
at org.springframework.security.providers.ProviderMan ager.doAuthenticati
on(ProviderManager.java:188)
at org.springframework.security.AbstractAuthenticatio nManager.authentica
te(AbstractAuthenticationManager.java:46)
at org.springframework.security.ui.basicauth.BasicPro cessingFilter.doFil
terHttp(BasicProcessingFilter.java:139)
at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringS
ecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy $VirtualFilterChain
.doFilter(FilterChainProxy.java:390)
at org.springframework.security.context.HttpSessionCo ntextIntegrationFil
ter.doFilterHttp(HttpSessionContextIntegrationFilt er.java:235)
at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringS
ecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy $VirtualFilterChain
.doFilter(FilterChainProxy.java:390)
at org.springframework.security.util.FilterChainProxy .doFilter(FilterCha
inProxy.java:175)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(D
elegatingFilterProxy.java:236)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(Delegat
ingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(Appl
icationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationF
ilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doF ilter(ReplyHeaderFi
lter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(Appl
icationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationF
ilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperV
alve.java:230)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextV
alve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationV alve.invoke(Securit
yAssociationValve.java:182)
at org.jboss.web.tomcat.security.JaccContextValve.inv oke(JaccContextValv
e.java:84)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.j
ava:127)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.j
ava:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionV alve.invoke(CachedC
onnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineVal
ve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.jav
a:262)
at org.apache.coyote.http11.Http11AprProcessor.proces s(Http11AprProcesso
r.java:856)
at org.apache.coyote.http11.Http11AprProtocol$Http11C onnectionHandler.pr
ocess(Http11AprProtocol.java:566)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run( AprEndpoint.java:15
08)

Here are my configuration files:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

<http>
<intercept-url pattern="/**" access="ROLE_USER"/>
<http-basic/>
</http>
</beans:beans>

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schem...rity-2.0.4.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-2.5.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schem...ontext-2.5.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schem...ng-aop-2.5.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schem...ing-tx-2.5.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.5.xsd">

<!-- ========================= JAAS Security using Spring ==================================== -->
<bean id="jaasAuthenticationProvider"
class="org.springframework.security.providers.jaas .JaasAuthenticationProvider">
<security:custom-authentication-provider />

<property name="loginConfig" value="/WEB-INF/jaas.conf"/>
<property name="loginContextName" value="JAAS_Config"/>
<property name="callbackHandlers">
<list>
<bean class="org.springframework.security.providers.jaas .JaasNameCallbackHandler"/>
<bean class="org.springframework.security.providers.jaas .JaasPasswordCallbackHandler"/>
</list>
</property>
<property name="authorityGranters">
<list>
<bean class="com.issinc.cdf.security.WebTASAuthorityGran ter"/>
</list>
</property>
</bean>
</beans>

JAAS_Config {
ipt.tas.security.login.WebTASCommonLoginModule required;
};


Why isn't this portable to JBoss?