This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes JBoss/WildFly and the fly likes JAAS With JBOSS: My How-To Tutorial Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "JAAS With JBOSS: My How-To Tutorial" Watch "JAAS With JBOSS: My How-To Tutorial" New topic
Author

JAAS With JBOSS: My How-To Tutorial

Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
There are a few different steps to get JAAS Auth to work in JBoss:
LOGIN CODE
-------------------

JBOSS EJB_DESCRIPTOR INFO
---------------------------------------------

JBOSS CONFIGURATIONS
------------------------------------

NEEDED TO COMPILE AND RUN CLIENT
---------------------------------------------------------
NOTE: you will need these jars for BOTH compiling AND running THE CLIENT
//ALL CLIENT JARS
${JBOSS_HOME}/client/*.jar
//THIS IS THE KEY!!! THIS IS THE JAR THEY DON'T TELL YOU
//ABOUT, BUT THAT HAS THE JAAS CLASSES!!!
${JBOSS_HOME}/server/all/lib/jbosssx.jar
RUNTIME SYSTEM PROPERTIES FOR CLIENT - REQUIRED
----------------------------------------------------------------
//NOTE: ALL THESE ARE FOR RUNNING THE CLIENT!!!
-Djava.security.manager
//I WILL GIVE YOU WHAT THIS FILE MUST CONTAIN
-Djava.security.auth.login.config=auth.conf
//I WILL GIVE YOU A SAMPLE OF THIS, JUST FOR TESTING
-Djava.security.policy=ourtest.policy
-Djava.security.auth.policy=ourtest.policy
CONFIG FILE (FOR CLIENT): auth.conf
------------------------------------------------------

POLICY FILE (FOR CLIENT): ourtest.policy
-----------------------------------------------------------

OK, I believe that's all you need! I think that the class for using a properties file for a login usernames/passwords is: org.jboss.security.ClientLoginModule. So if you don't want to use the database for your tests, replace all the DB Module classes listed in the files above with this one.

OK, I spent alot of time putting this together because i know it stinks to not be able to find it anywhere. i went through it myself and i don't want anyone else to be frustrated. All I ask is this:
1. Anytime you are searching for the answer to how to do something and alot of people also want to know, and then you come up with the answer - POST IT!!
2. I need to know how to use resource-env-ref or resource-ref with Jetty (only Jetty). Anyone who knows, please post it for me! Thanks!
Robert
[ January 27, 2003: Message edited by: Robert Paris ]
[ January 17, 2004: Message edited by: Robert Paris ]
Thomas Paul
mister krabs
Ranch Hand

Joined: May 05, 2000
Posts: 13974
Why don't you write this up as an article and we'll put it in the JavaRanch newsletter.


Associate Instructor - Hofstra University
Amazon Top 750 reviewer - Blog - Unresolved References - Book Review Blog
Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
Will do! Couple Questions:
1. Is there a basic format you'd like me to follow?
2. Where do I send the article when I finish it?
3. What about source code? I did not include a complete working version there (for example I used a database auth version, but didn't include my code for getting that to work. I can include that no problem in the article)
4. What about updates to the article/source code? In other words - I have time right now to create a full working version with MS SQL Server as the database, but no time to do that plus a MySQL version, properties version, etc. However, I could every now and then add those versions when I have free time. Is this possible?
Thanks!
Lee Barney
Ranch Hand

Joined: May 07, 2003
Posts: 37
I have tried following your example here using mysql. When I add the following code to login-config.xml as suggested
<application-policy name="EJBSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/MySqlDS</module-option>
<module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option>
<module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?<module-option>
<login-module>
</authentication>
</application-policy>
I get the following error on starting JBoss
09:12:42,087 WARN [XMLLoginConfigImpl] Failed to load config: file:/Applications/jboss-3.0.6/server/default/conf/login-config.xml
org.jboss.security.auth.login.ParseException: Encountered "<?xml" at line 1, column 1.
Was expecting one of:
<EOF>
<IDENTIFIER> ...

What am I doing wrong in following your example?
Thanks
Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
Well, you see this line:
<module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option>
You never CLOSE the module-option. You have the same problem for the next one as well.
Georg Gruetter
Greenhorn

Joined: Aug 19, 2003
Posts: 2
Hi there,
I got the exact same error message as Lee posted previously. It is definitely not a syntax problem with my login-config.xml. I validated it against its DTD without any errors. Anyway, the error message doesn't seem to make much sense - what is wrong with an xml file beginning with <?xml verison=....>? I'd appreciate any recommendations you might have.
Cheers
Georg
Georg Gruetter
Greenhorn

Joined: Aug 19, 2003
Posts: 2
Ok, after spending the better half of the day browsing forums and experimenting, I found the solution to the problem. To be able to propagate the authenticated principal to the EJB-Container from a Java-Client (e.g. JUnit) my auth.conf entry now looks as follows:
LineSecurityDomain {
org.jboss.security.auth.spi.UsersRolesLoginModule required;
org.jboss.security.ClientLoginModule required;
};
As stated in the JBoss documentation, the ClientLoginModule is responsible for propagating the principal! It did only work by incorporating the entry in the LineSecurityDomain configuration! Using the following approach didn't work.
LineSecurityDomain {
org.jboss.security.auth.spi.UsersRolesLoginModule required;
};
other {
org.jboss.security.ClientLoginModule required;
}
Hope this helps!
Georg
Brian DeCamp
Greenhorn

Joined: Aug 27, 2003
Posts: 1
Please note: Although the above description is better than anything I've found on JBoss' website and documentation. There are at least a few bugs in it. The code that reads:

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"><!-- This tells it where to find the MS SQL Server DataSource that provides the usernames/passwords. Don't get me started on what a pain that was to set up (although alot LESS of a pain than JAAS and Database login--><module-option name="dsJndiName">java:/MSQLDS</module-option><!-- This depends on how your DB is structured --><module-option name-"principalsQuery">Select passwd from Users where username = ?<module-option><module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?<module-option><login-module>

Should read:
<application-policy name="EJBSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<!-- This tells it where to find the MS SQL Server DataSource that provides
the usernames/passwords. Don't get me started on what a pain that was to
set up (although alot LESS of a pain than JAAS and Database login
-->
<module-option name="dsJndiName">java:/MSQLDS</module-option>
<!-- This depends on how your DB is structured -->
<module-option name="principalsQuery">Select passwd from Users where username = ?</module-option>
<module-option name="rolesQuery">Select userRoles 'Role', userRoleGroups 'RoleGroup' from UserRoles where username = ?</module-option>
</login-module>
</authentication>
</application-policy>
There are three tags that need to be properly closed (two module-option tags and the login-module tag) and a couple ill-defined attributes. All of these errors result in the unhelpful XML parse diagnostic about the <?xml identifier.
Still trying to log in!! :roll:
Chris Pearson
Greenhorn

Joined: Nov 06, 2003
Posts: 1
Did you ever get a chance to log in? I am having problems with the above example, such as why a Prinicpal class was created in the login and what client needs to be compiled?? Any help would be appreciated.
And is this written up somewhere? I looked for a newsletter but have not found one.
Thanks,
Chris
Tom Marrs
Author
Ranch Hand

Joined: Sep 20, 2000
Posts: 67
Robert,
You rock!!! I was in desperate need of a solution to this problem and your tutorial gave me most of what I needed. I had to make a few corrections for JBoss 3.2.5. If you'd like, I could post them. You saved me from a disaster - I needed to make this work so I could teach an EJB class on JBoss. Thanks again.

Tom Marrs
Luctor Emergo
Greenhorn

Joined: Mar 14, 2005
Posts: 1
Finally I think Im on the right track here. Did you ever get to create a complete example? Id love to have that, cause Ive been banging my head against the wall the last couple of decades it feels like.

And I totally agree. POST THE SOLUTION WHEN YOU FIND IT. So other people dont have to bang their head till it cracks.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JAAS With JBOSS: My How-To Tutorial