I have a trivial problem about execute endpoint resteasy with a trusted SecurityDomain and a specific RolesAllowed.
After a successfull login with loginmodule approach with a login form , the response of endpoint is an access denied (HTTP Status 403 - Access to the requested resource has been denied)
Now I describe the actual case use:
Environment is Jboss AS7, there is an .ear artifact with following configuration
standalone.xml
<management>
...
<security-realm name="EJBRealm">
<authentication>
<jaas name="CustomRealm"/>
</authentication>
</security-realm>
...
</management>
<subsystem xmlns="urn:jboss:domain:security:1.1">
...
<security-domain name="CustomRealm">
<authentication>
<login-module code="Database" flag="sufficient">
<module-option name="dsJndiName" value="java:jboss/jdbc/PUDS"/>
<module-option name="principalsQuery" value="SELECT 'system' FROM dual WHERE ? = 'system'"/>
<module-option name="rolesQuery" value="SELECT 'authenticated', 'Roles' from dual WHERE ? = 'system'"/>
</login-module>
<login-module code="custom.jaas.AuthenticationProxyLoginModule" flag="sufficient" module="custom.authentication">
<module-option name="authBE_ip_port" value="${install.module.authBE_ip_port}"/>
<module-option name="authBE_ip_address" value="${install.module.authBE_ip_address}"/>
<module-option name="authBE_context_path" value="${install.module.authBE_context_path}"/>
</login-module>
</authentication>
</security-domain>
...
</subsystem>
In this ear there is a web-module artifact .war with a set of endpoint with resteasy approach with following configuration:
web.xml
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
This role exist on database autentication realm
jboss-web.xml
<jboss-web version="7.1"
xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_7_1.xsd">
<security-domain>CustomRealm</security-domain>
</jboss-web>
On jboss-web.xml I setting the customrealm defined on standlalone.xml
The resteasy class is defined as followed:
#Component
#Path(value = "/endpoint")
#SecurityDomain("CustomRealm")
#DeclareRoles({"ADMIN", "DEFAULT"})
public class CustomRest implements ICustomRest
{
...
#Override
#GET
#Path(value = "/testendpoint/{id}")
#Consumes(value = MediaType.APPLICATION_JSON)
#RolesAllowed("ADMIN")
public void testendpoint(#PathParam(value = "id") Long id) throws Exception {
//code to execute
}
...
}
This class is annotated with securitydomain at class scope and on method testendpoint define the annotation #RolesAllowed with ADMIN (as defined on web.xml)
If I call the rest uri
http://localhost:8080/api/services/endpoint/testendpoint/23456
the login form is viewed, I insert correct credentials that received from custom.jaas.AuthenticationProxyLoginModule module correctly. The autentication is ok after a successfull login as aspect it.
After all ok, the endpoint don't execute but the response is Access Denied systematically.
What's my wrong?
Login module is configured correctly on standlone.xml, the login form is viewed correctly, the submit credentials is received correctly from custom loginmodule, the method login grant ok authentication, but in the final the response of endpoint is an access denied!!!! Why? It's very trivial and I have got nothing to resolve this trivial problem!
It's all ok , but access denied! I'm sure there is a few wrong that I don't able to understand!
Thanks in advances for a response!
Ok! I find the wrong!!!
I analyzed the code of custom login module and I realized that the native method of loginmodule getRoleSets define a custom role called "authenticated" and not retrieve the roles from database :| !
I fixed so the role with authenticated removing "ADMIN" and all go ok!
Finally I can execute this rest endpoint with a secure login as I aspect it!
I'm very happy to resolve this trouble! Is not a good idea to fix a role on custom method getRoleSets but this is an application on production from many years and I must integrate a webmodule rest endpoint over them!
Thanks all!!
does somebody has a valid and working example of a Mondrian to Kylin connection?
I found that the unique version on Mondrian made to run standalone far away from other things from Pentaho / Saiku is available from this report on github.
So I downloaded the war and moved it into the tomcat's web apps dir, then I upgraded some Jar as suggested in this website.
The problem is that nothing seems to work.
I have defined a datasource as follow:
datasources\ -\ kylin.xml
<?xml version="1.0"?>
<!--
http://mondrian.pentaho.com/documentation/installation.php#5_1_Describe_the_data_sources_in_datasources.xml
-->
<DataSources>
<DataSource>
<DataSourceName>test</DataSourceName>
<DataSourceDescription>test from kylin</DataSourceDescription>
<URL>http://localhost:8080/xmondrian/xmla</URL>
<DataSourceInfo>Provider=mondrian; Jdbc=jdbc:kylin://192.168.127.100:7070/Luca_test; JdbcDrivers=org.apache.kylin.jdbc.Driver; JdbcUser=ADMIN; JdbcPassword=KYLIN</DataSourceInfo>
<ProviderName>Mondrian</ProviderName>
<ProviderType>MDP</ProviderType>
<AuthenticationMode>Unauthenticated</AuthenticationMode>
<Catalogs>
<Catalog name="test">
<Definition>/WEB-INF/schema/test.xml</Definition>
</Catalog>
</Catalogs>
</DataSource>
</DataSources>
test.xml ( the schema )
<?xml version="1.0"?>
<Schema name="schema qualcosa" description="ancora di +" measuresCaption="bho" defaultRole="non lo so">
<Cube name="il nome del cubo" caption="non ho idea di cosa possa essere" visible="true" description="come sopra + esteso" cache="false" enabled="true">
<Table name="SAK_FACT_TRANSACTIONS" schema="UNIFIEDDATA_WORK" alias="transaction">
</Table>
<Dimension type="StandardDimension" visible="true" foreignKey="PRICE" name="SAK_FACT_TRANSACTIONS_PRICE">
</Dimension>
<Measure name="price" column="PRICE" datatype="Numeric" aggregator="sum" formatter="$#,##0.00" description="price come sopra" visible="true">
</Measure>
</Cube>
</Schema>
And tomcat logs show:
10:06:06,331 ERROR [XmlaServlet] Errors when handling XML/A message
mondrian.xmla.XmlaException: Mondrian Error:XMLA Discover unparse results error
at mondrian.xmla.XmlaHandler.discover(XmlaHandler.java:2904)
at mondrian.xmla.XmlaHandler.process(XmlaHandler.java:671)
at mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody(DefaultXmlaServlet.java:507)
at mondrian.xmla.XmlaServlet.doPost(XmlaServlet.java:318)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at mondrian.olap.Util.readURL(Util.java:3243)
at mondrian.server.UrlRepositoryContentFinder.getContent(UrlRepositoryContentFinder.java:44)
at mondrian.server.FileRepository.getServerInfo(FileRepository.java:236)
at mondrian.server.FileRepository.getConnection(FileRepository.java:117)
at mondrian.server.MondrianServerImpl.getConnection(MondrianServerImpl.java:262)
at mondrian.xmla.XmlaHandler.getConnection(XmlaHandler.java:2976)
at mondrian.xmla.XmlaHandler.getConnection(XmlaHandler.java:177)
at mondrian.xmla.Rowset.populate(Rowset.java:219)
at mondrian.xmla.Rowset.unparse(Rowset.java:194)
at mondrian.xmla.XmlaHandler.discover(XmlaHandler.java:2898)
... 27 more
The schema has been validated into the workbench-schema.
Any help is appreciated and welcomed.
Any help.
Short version:
I have setup a small maven web project (JDK 1.8.0, Source: 1.8, JavaEE7) to test the JDBCRealm in Glassfish 4.1 (build 13). It consists of two Entities: RealmUser und RealmGroup and a JAX-RS Service to insert, update and delete these Entities.
I defined the JDBCResource in glassfish-resources.xml, configured the realm via Glassfish Admin Console, and setup web.xml with login-config (BASIC) only.
When using a WebFilter to activate authentication it works fine.
But when i setup a security constraint in the web.xml instead, i get the following exception whenever i try to access the protected resource (Full Stacktrace and details below):
Schwerwiegend: jdbcrealm.invaliduser
Fine: Cannot validate user
javax.security.auth.login.LoginException: Unable to connect to datasource java:app/jdbc/sampleresource for database user null.
...
Caused by: javax.naming.NamingException: Lookup failed for 'java:app/jdbc/sampleresource' in SerialContext[myEnv={com.sun.enterprise.connectors.jndisuffix=__nontx, java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory, java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl, java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root exception is javax.naming.NamingException: Invocation exception: Got null ComponentInvocation ]
...
Caused by: javax.naming.NamingException: Invocation exception: Got null ComponentInvocation
...
Your help is greatly appreciated!
Step by Step:
I created a Derby Database (SampleDB, user: testuser, password: pw) and defined a JDBC resource via glassfish-resources.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE resources PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Resource Definitions//EN" "http://glassfish.org/dtds/glassfish-resources_1_5.dtd">
<resources>
<jdbc-resource enabled="true" jndi-name="java:app/jdbc/sampleresource" object-type="user" pool-name="samplepool">
<description/>
</jdbc-resource>
<jdbc-connection-pool datasource-classname="org.apache.derby.jdbc.ClientDataSource40" name="samplepool" res-type="javax.sql.DataSource">
<property name="URL" value="jdbc:derby://localhost:1527/SampleDB"/>
<property name="serverName" value="localhost"/>
<property name="portNumber" value="1527"/>
<property name="databaseName" value="SampleDB"/>
<property name="User" value="testuser"/>
<property name="Password" value="pw"/>
<property name="driverClass" value="org.apache.derby.jdbc.ClientDriver"/>
</jdbc-connection-pool>
</resources>
I created the persistence.xml with jta-data-source set to java:app/jdbc/sampleresource:
<?xml version="1.0" encoding="UTF-8"?>
<persistence version="2.1" xmlns="http://xmlns.jcp.org/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
<persistence-unit name="SampleRealmPU" transaction-type="JTA">
<jta-data-source>java:app/jdbc/sampleresource</jta-data-source>
<exclude-unlisted-classes>false</exclude-unlisted-classes>
<properties>
<property name="javax.persistence.schema-generation.database.action" value="create"/>
</properties>
</persistence-unit>
</persistence>
On Startup the Application adds a default user (admin, pw) and default group (Administrator), and assigns admin to the Administrator group.
Then i created the JDBC Realm using the Admin Console, and pointed the Realm to java:app/jdbc/sampleresource.
Note:
I added Database username and password entries although they should be redundant.
Default Principal To Role Mapping is Enabled.
I implemented two services:
GET on .../webresources/UserService/users returns the list of all users
GET on .../webresources/UserService/groups return the list of all groups
Now to activate authentication for accessing groups i created a very simple web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SampleRealm</realm-name>
</login-config>
</web-app>
and a WebFilter:
#WebFilter("/webresources/UserService/groups/*")
public class Authenticator implements Filter {
#Override
public void init(FilterConfig filterConfig) throws ServletException {
}
#Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
try {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
if (req.authenticate(resp)) {
chain.doFilter(req, resp);
}
} catch (Throwable t) {
t.printStackTrace();
}
}
#Override
public void destroy() {
}
}
So far it works! I have to provide my default user credentials to access the groups.
Now instead of using the Webfilter i want to use the web.xml to define the same authentication constraint on groups. I commented the whole WebFilter and modified the web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>GroupConstraint</display-name>
<web-resource-collection>
<web-resource-name>UserService groups</web-resource-name>
<description/>
<url-pattern>/webresources/UserService/groups/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>requires auth</description>
<role-name>Administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SampleRealm</realm-name>
</login-config>
<security-role>
<description/>
<role-name>Administrator</role-name>
</security-role>
</web-app>
With this setup i can access the users resource (i.e. database is there) but when i try to access the groups resource i get HTTP Status 401 - Unauthorized and Glassfish logs:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = samples-realm-web/samples-realm-web
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/webresources/UserService/groups" "GET")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Fine: [Web-Security] Policy Context ID was: samples-realm-web/samples-realm-web
Fine: [Web-Security] Generating a protection domain for Permission check.
Fine: [Web-Security] Codesource with Web URL: file:/samples-realm-web/samples-realm-web
Fine: [Web-Security] Checking Web Permission with Principals : null
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/webresources/UserService/groups" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (samples-realm-web/samples-realm-web)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/webresources/UserService/groups" "GET"))
Fine: [Web-Security] hasResource isGranted: false
Fine: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/webresources/UserService/groups" "GET")
Finest: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
Fine: Logging in user [admin] into realm: SampleRealm using JAAS module: jdbcRealm
Fine: Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Schwerwiegend: jdbcrealm.invaliduser
Fine: Cannot validate user
javax.security.auth.login.LoginException: Unable to connect to datasource java:app/jdbc/sampleresource for database user null.
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.getConnection(JDBCRealm.java:585)
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.isUserValid(JDBCRealm.java:408)
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.authenticate(JDBCRealm.java:324)
at com.sun.enterprise.security.ee.auth.login.JDBCLoginModule.authenticate(JDBCLoginModule.java:78)
at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:116)
at com.sun.enterprise.security.BasePasswordLoginModule.login(BasePasswordLoginModule.java:145)
at sun.reflect.GeneratedMethodAccessor52.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:383)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:241)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:154)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:695)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:636)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:166)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1524)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:606)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:702)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.naming.NamingException: Lookup failed for 'java:app/jdbc/sampleresource' in SerialContext[myEnv={com.sun.enterprise.connectors.jndisuffix=__nontx, java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory, java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl, java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root exception is javax.naming.NamingException: Invocation exception: Got null ComponentInvocation ]
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:491)
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:438)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at org.glassfish.resourcebase.resources.naming.ResourceNamingService.lookup(ResourceNamingService.java:236)
at com.sun.enterprise.connectors.service.ConnectorResourceAdminServiceImpl.lookup(ConnectorResourceAdminServiceImpl.java:224)
at com.sun.enterprise.connectors.ConnectorRuntime.lookupNonTxResource(ConnectorRuntime.java:553)
at com.sun.enterprise.connectors.ConnectorRuntime.lookupNonTxResource(ConnectorRuntime.java:538)
at com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.getConnection(JDBCRealm.java:573)
... 48 more
Caused by: javax.naming.NamingException: Invocation exception: Got null ComponentInvocation
at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.getComponentId(GlassfishNamingManagerImpl.java:842)
at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:714)
at com.sun.enterprise.naming.impl.JavaURLContext.lookup(JavaURLContext.java:167)
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:471)
... 56 more
Fine: JAAS authentication aborted.
Finest: doPasswordLogin fails
javax.security.auth.login.LoginException: Security Exception
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:840)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:383)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:241)
at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:154)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:695)
at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:636)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:166)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1524)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:606)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:702)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.SecurityException
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:841)
... 39 more
Warnung: WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Security Exception
I tried several things to solve this including:
renaming the jdbc resource
leaving/adding the java:app namespace at several points
creating a completly new project to test
added Role Mappings (despite having default Role mapping enabled)
Example of RoleMappings using glassfish-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMSSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/h2ee web-app_2_4.xsd">
<security-role-mapping>
<role-name>Administrator</role-name>
<group-name>Administrator</group-name>
</security-role-mapping>
</glassfish-web-app>
Your help is greatly appreciated!
your password Encryption is set to SHA-256... Make it AES
USE SHA-256 as the digest Algo not the encryption... try using Hex as the Encoding
JBoss Wildfly 8.0.0-Final
JSF 2.2.4
First I created login using the application-users.properties and application-roles.properties.
Added user with add-user.bat
Web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Resource</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Standalone.xml
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
login.xhtml
<?xml version="1.0" encoding="UTF-8"?>
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://xmlns.jcp.org/jsf/facelets"
xmlns:f="http://xmlns.jcp.org/jsf/core"
xmlns:h="http://xmlns.jcp.org/jsf/html"
xmlns:p="http://primefaces.org/ui">
<div class="center">
<form method="POST" action="j_security_check" id="">
<h:panelGrid id="panel" columns="2" border="1" cellpadding="4" cellspacing="4">
<h:outputLabel for="j_username" value="Username:" />
<input type="text" name="j_username" />
<h:outputLabel for="j_password" value="Password:" />
<input type="password" name="j_password" />
<h:panelGroup>
<input type="submit" value="Login" />
</h:panelGroup>
</h:panelGrid>
</form>
</div>
</ui:composition>
So that worked fine.. now I want to use database authentication.. so I change the standalone.xml.
<login-module code="Database" flag="sufficient">
<module-option name="dsJndiName" value="java:jboss/jsi/GarageXADataSource"/>
<module-option name="principalsQuery" value="select encode(password, 'hex') from principal where username=?"/>
<module-option name="rolesQuery" value="select r.role, r.role_group from role r inner join principal p on r.role = p.role where p.username=?"/>
<module-option name="hashAlgorithm" value="SHA-512"/>
<module-option name="hashEncoding" value="hex"/>
</login-module>
I use this sql to insert a role and a user in the database ( PostgreSQL 9.3 )
INSERT INTO role(role, role_group) VALUES ('admin', 'Roles'); INSERT
INTO principal(username, email, password, role) VALUES ('Kris',
'xx#gmail.com', digest('pass', 'sha512'), 'admin');
But the login does not work.
I see no errors in the log.
I have used this approach before on AS 7.1.1 where it worked.
Thanks for you help.
Firstly DatabaseServerLoginModule logs to trace level, so you should set org.jboss.security log levels to trace in your standalone.xml as follows. Now you should see the errors in your server.log
<logger category="org.jboss.security">
<level name="TRACE"/>
</logger>
You also need to add a realm-name within your jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/MyRealm</security-domain>
</jboss-web>
You have not supplied the surrounding tags around your login-module configuration snippet. You should have something this below. The realm name needs to match that in your web.xml
<subsystem xmlns="urn:jboss:domain:security:1.0">
<security-domains>
<security-domain name="MyRealm">
<authentication>
<login-module code="Database" flag="required">
....
</authentication>
</security-domain>
</security-domains>
</subsystem>
Once you have done this could you post any errors from your server.log.
The problem is with constant 'Roles', you must specify it exactly like that 'Roles'. Example:
Select role, 'Roles' from Role where roleId =
I just had the same problem with Wildfly, look for this line in your standalone.xml
<default-security-domain value="other"/>
And change other to your securitydomain, in previous versions this option was n't necessary.
try to add a file jboss-web.xml in the WEB-INF folder:
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
http://www.jboss.org/j2ee/schema/jboss-web_6_0.xsd" version="6.0">
<security-domain>java:/jaas/MyRealm</security-domain>
</jboss-web>
I was facing the same problem just now, but I've just managed to fix it!
The problem seems to be the principalsQuery.
According to the documentation you have to put the "Role" and "RoleGroup" in principalsQuery and they have to be with exactly case to match.
SQL prepared statement to be executed in order to map roles. It should be an equivalent to select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and RoleGroup column value should always be "Roles" with capital R.
I was also not seeing anything, but I've enabled the below tag (just like Chris told) in my standalone.xml and now I'm able to see errors like "invalid login/password" in the logs.
<logger category="org.jboss.security">
<level name="TRACE"/>
</logger>
What I've done to confirm that the server was at least querying the database was to check the MySQL (in my case) logs to see if it was being queried.
All in all, the below configuration is what is working for me and btw it seems that few module-options like "hashEncoding" are not being used anymore (also according to the docs).
<security-domain name="example-jaas-realm">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:/jboss/datasources/TestDS"/>
<module-option name="principalsQuery" value="select password as 'Password' from users where username=?"/>
<module-option name="rolesQuery" value="select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ?"/>
</login-module>
</authentication>
</security-domain>
Edit
It seems that even after matching agains the database and giving a session to the user, it is still not able to access the protected area. I believe that it has to do something Role and RoleGroup.
2014-03-20 02:03:23,116 TRACE [org.jboss.security] (default task-9) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal#c84b3766, cache entry: null
2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal#c84b3766
2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000221: Begin getAppConfigurationEntry(example-jaas-realm), size: 4
2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000224: End getAppConfigurationEntry(example-jaas-realm), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=principalsQuery, value=select password as 'Password' from users where username=?
name=dsJndiName, value=java:/jboss/datasources/TestDS
name=rolesQuery, value=select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ?
2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000236: Begin initialize method
2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000262: Module options [dsJndiName: java:/jboss/datasources/TestDS, principalsQuery: select password as 'Password' from users where username=?, rolesQuery: select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ?, suspendResume: true]
2014-03-20 02:03:23,121 TRACE [org.jboss.security] (default task-9) PBOX000240: Begin login method
2014-03-20 02:03:23,121 TRACE [org.jboss.security] (default task-9) PBOX000263: Executing query select password as 'Password' from users where username=? with username renann
2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000241: End login method, isValid: true
2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000242: Begin commit method, overall result: true
2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000263: Executing query select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ? with username renann
2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000263: Executing query select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ? with username renann
2014-03-20 02:03:23,125 TRACE [org.jboss.security] (default task-9) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext#248d105d, subject: Subject(690838634).principals=org.jboss.security.SimplePrincipal#730498373(renann)org.jboss.security.SimpleGroup#1160321194(teste_role(members:teste_role))org.jboss.security.SimpleGroup#1160321194(admin_role(members:admin_role))org.jboss.security.SimpleGroup#1160321194(CallerPrincipal(members:renann))
2014-03-20 02:03:23,125 TRACE [org.jboss.security] (default task-9) PBOX000201: End isValid, result = true
Here's my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<security-constraint>
<display-name>Security Constraint Test Display Name</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/protected/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>CONNECT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>teste_role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>example-jaas-realm</realm-name>
<form-login-config>
<form-login-page>/index.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-role>
<role-name>teste_role</role-name>
</security-role>
</web-app>
I am attempting to configure permissions for a meeting sign-up portlet. I have added a portlet.properties file to the docroot/WEB-INF/src directory of my portlet. Adding the following line causes an exception:
resource.actions.configs=resource-actions/default.xml
default.xml looks like this:
<?xml version="1.0"?>
<!DOCTYPE resource-action-mapping PUBLIC "-//Liferay//DTD Resource Action Mapping 6.1.0//EN" "http://www.liferay.com/dtd/liferay-resource-action-mapping_6_1_0.dtd">
<resource-action-mapping>
<resource file="resource-actions/meetingsignup.xml" />
</resource-action-mapping>
meetingsingup.xml looks like this:
<?xml version="1.0"?>
<resource-action-mapping>
<portlet-resource>
<portlet-name>meeting_signup</portlet-name>
<permissions>
<supports>
<action-key>CREATE_MEETING</action-key>
<action-key>VIEW</action-key>
</supports>
<community-defaults>
<action-key>VIEW</action-key>
<action-key>CREATE_MEETING</action-key>
</community-defaults>
<guest-defaults>
<action-key>VIEW</action-key>
<action-key>CREATE_MEETING</action-key>
</guest-defaults>
<user-defaults>
<action-key>VIEW</action-key>
<action-key>CREATE_MEETING</action-key>
</user-defaults>
</permissions>
</portlet-resource>
<model-resource>
<model-name>edu.pointloma.liferay.portlet.service.MeetingSignUp.model.Event</model-name>
<portlet-ref>
<portlet-name>meeting_signup</portlet-name>
</portlet-ref>
<permissions>
<supports>
<action-key>REGISTER</action-key>
<action-key>VIEW_REPORT</action-key>
<action-key>EDIT</action-key>
<action-key>DELETE</action-key>
</supports>
<community-defaults>
<action-key>REGISTER</action-key>
</community-defaults>
<guest-defaults>
<action-key>REGISTER</action-key>
</guest-defaults>
<user-defaults>
<action-key>REGISTER</action-key>
</user-defaults>
<power-user-defaults>
<action-key>REGISTER</action-key>
</power-user-defaults>
</permissions>
</model-resource>
</resource-action-mapping>
I.e. when I deploy the portlet the log writes:
12:36:07,035 ERROR [HotDeployUtil:112]com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering portlets for meeting_sign-up-portlet
com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering portlets for meeting_sign-up-portlet
at com.liferay.portal.kernel.deploy.hot.BaseHotDeployListener.throwHotDeployException(BaseHotDeployListener.java:45)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.invokeDeploy(PortletHotDeployListener.java:105)
at com.liferay.portal.kernel.deploy.hot.HotDeployUtil._doFireDeployEvent(HotDeployUtil.java:109)
at com.liferay.portal.kernel.deploy.hot.HotDeployUtil._fireDeployEvent(HotDeployUtil.java:183)
at com.liferay.portal.kernel.deploy.hot.HotDeployUtil.fireDeployEvent(HotDeployUtil.java:38)
at com.liferay.portal.kernel.servlet.PortletContextListener.doPortalInit(PortletContextListener.java:99)
at com.liferay.portal.kernel.util.BasePortalLifecycle.portalInit(BasePortalLifecycle.java:42)
at com.liferay.portal.kernel.util.PortalLifecycleUtil.register(PortalLifecycleUtil.java:61)
at com.liferay.portal.kernel.util.PortalLifecycleUtil.register(PortalLifecycleUtil.java:51)
at com.liferay.portal.kernel.util.BasePortalLifecycle.registerPortalLifecycle(BasePortalLifecycle.java:50)
at com.liferay.portal.kernel.servlet.PortletContextListener.contextInitialized(PortletContextListener.java:55)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3972)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4467)
at org.apache.catalina.startup.HostConfig.checkResources(HostConfig.java:1244)
at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1342)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:303)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1337)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1601)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1610)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1590)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.NullPointerException
at com.liferay.portal.security.permission.ResourceActionsUtil._readActionKeys(ResourceActionsUtil.java:942)
at com.liferay.portal.security.permission.ResourceActionsUtil._readSupportsActions(ResourceActionsUtil.java:1212)
at com.liferay.portal.security.permission.ResourceActionsUtil._readPortletResource(ResourceActionsUtil.java:1106)
at com.liferay.portal.security.permission.ResourceActionsUtil._read(ResourceActionsUtil.java:921)
at com.liferay.portal.security.permission.ResourceActionsUtil._read(ResourceActionsUtil.java:909)
at com.liferay.portal.security.permission.ResourceActionsUtil.read(ResourceActionsUtil.java:412)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.processPortletProperties(PortletHotDeployListener.java:603)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.doInvokeDeploy(PortletHotDeployListener.java:313)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.invokeDeploy(PortletHotDeployListener.java:102)
... 20 more
Why is this exception occurring, and how can I get rid of it? I have already searched the web for an answer, but I could not find one.
Try removing the first slash: resource.actions.configs=resource-actions/default.xml
double check that default.xml exists and that it is in a folder named resource-actions and that folder is under WEB-INF/src folder together with portlet.properties
Open default.xml and make sure its internal structure is compliant with Liferay Resource Mapping DTD (prev. link is for Liferay 6.1)