You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Guillaume Lederrey <Ge...@ledcom.ch> on 2005/03/04 15:23:03 UTC
Authentication and logging problem
Hello !
I'm having problem with a JAAS authentication realm. I created a
LoginModule, configured it as explained in
http://forum.java.sun.com/thread.jspa?threadID=233317&tstart=0, defined the
permissions in my WEB-INF/web.xml ...
The log statements (System.out.println()) I have in my login module show
that the user is authenticated and that the correct roles are added to the
subject. BUT : I still get a 403 when trying to access my servlets.
I installed a log4j logger for Tomcat as explained in
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html to get some more
informations. The relevant lines are included below.
It seems the roles didnt get added, wich is not consistant with what I read
in my LoginModule doc ...
My context definition (in conf/server.xml) is :
<Context path="/siems-ds"
docBase="/home/gehel/tecost/siems/siems/ds/target/siems-ds-0.1-SNAPSHOT.war/"
privileged="true"
reloadable="true">
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="SIEMS-ds"
userClassNames="ch.tecost.siems.jaas.UserPrincipal"
roleClassNames="ch.tecost.siems.jaas.RolePrincipal"
debug="99"/>
</Context>
the following code is used to add roles in the commit() method of the
LoginModule, "subject" is the subject received in "initialize()"
log("adding roles ...");
Collection roleList = RolePrincipal.findByUser(DBAccess
.currentConnection(), userPrincipal);
for (Iterator it = roleList.iterator(); it.hasNext();) {
RolePrincipal role = (RolePrincipal) it.next();
log("Adding role : " + role.getName());
subject.getPrincipals().add(role);
}
Does anybody have any idea where i should be looking to find the solution ?
Thanks
Guillaume Lederrey
DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - Checking
constraint 'SecurityConstraint[SIEMS - Data Service protected area]' against
GET /UserList --> true
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAASRealm
login requested for username "admin" using LoginContext for application
"SIEMS-ds"
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Login
context created admin
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAAS
LoginContext created for username "admin"
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking
Principal "admin" [ch.tecost.siems.jaas.UserPrincipal]
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Principal
"admin" is a valid user class. We will use this as the user Principal.
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No valid
role Principals found.
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Username
"admin" successfully authenticated as Principal "{1}" -- Subject was created
too
DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - Checking
roles admin
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if
user Principal "admin" possesses role "Root"
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles
Principals found. User Principal or Subject is null, or user Principal not in
cache
DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role
found: Root
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if
user Principal "admin" possesses role "Admin"
DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles
Principals found. User Principal or Subject is null, or user Principal not in
cache
DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role
found: Admin
DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]]
org.apache.catalina.session.ManagerBase - Start expire sessions
StandardManager at 1109945560722 sessioncount 0
DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]]
org.apache.catalina.session.ManagerBase - Start expire sessions
StandardManager at 1109945560722 sessioncount 0
--
Guillaume Lederrey
Informaticien Développement
Tecost - Technology Consulting Studies
Fribourg (Switzerland)
http://www.tecost.ch/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Authentication and logging problem
Posted by Guillaume Lederrey <Ge...@ledcom.ch>.
I found the problem :
I was using a UserPrincipal and a RolePrincipal that had a case insensitive
equals() method. I was first adding the UserPrincipal with name "admin", and
then adding a RolePrincipal with name "Admin". The case insensitive equals()
implies that the Role was not added as it was equals to the User ...
Pretty easy problem, but I still took 1 full day to track it down !
Guillaume
On Friday 04 March 2005 15.23, Guillaume Lederrey wrote:
> I'm having problem with a JAAS authentication realm. I created a
> LoginModule, configured it as explained in
> http://forum.java.sun.com/thread.jspa?threadID=233317&tstart=0, defined the
> permissions in my WEB-INF/web.xml ...
>
> The log statements (System.out.println()) I have in my login module show
> that the user is authenticated and that the correct roles are added to the
> subject. BUT : I still get a 403 when trying to access my servlets.
>
> I installed a log4j logger for Tomcat as explained in
> http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html to get some
> more informations. The relevant lines are included below.
>
> It seems the roles didnt get added, wich is not consistant with what I
> read in my LoginModule doc ...
>
> My context definition (in conf/server.xml) is :
> <Context path="/siems-ds"
>
> docBase="/home/gehel/tecost/siems/siems/ds/target/siems-ds-0.1-SNAPSHOT.war
>/" privileged="true"
> reloadable="true">
> <Realm className="org.apache.catalina.realm.JAASRealm"
> appName="SIEMS-ds"
> userClassNames="ch.tecost.siems.jaas.UserPrincipal"
> roleClassNames="ch.tecost.siems.jaas.RolePrincipal"
> debug="99"/>
> </Context>
>
>
> the following code is used to add roles in the commit() method of the
> LoginModule, "subject" is the subject received in "initialize()"
>
> log("adding roles ...");
> Collection roleList = RolePrincipal.findByUser(DBAccess
> .currentConnection(), userPrincipal);
> for (Iterator it = roleList.iterator(); it.hasNext();) {
> RolePrincipal role = (RolePrincipal) it.next();
> log("Adding role : " + role.getName());
> subject.getPrincipals().add(role);
> }
>
> Does anybody have any idea where i should be looking to find the solution
> ?
>
> Thanks
>
> Guillaume Lederrey
>
>
> DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase -
> Checking constraint 'SecurityConstraint[SIEMS - Data Service protected
> area]' against GET /UserList --> true
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm -
> JAASRealm login requested for username "admin" using LoginContext for
> application "SIEMS-ds"
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Login
> context created admin
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAAS
> LoginContext created for username "admin"
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking
> Principal "admin" [ch.tecost.siems.jaas.UserPrincipal]
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm -
> Principal "admin" is a valid user class. We will use this as the user
> Principal. DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm
> - No valid role Principals found.
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Username
> "admin" successfully authenticated as Principal "{1}" -- Subject was
> created too
> DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase -
> Checking roles admin
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking
> if user Principal "admin" possesses role "Root"
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles
> Principals found. User Principal or Subject is null, or user Principal not
> in cache
> DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role
> found: Root
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking
> if user Principal "admin" possesses role "Admin"
> DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles
> Principals found. User Principal or Subject is null, or user Principal not
> in cache
> DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role
> found: Admin
> DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]]
> org.apache.catalina.session.ManagerBase - Start expire sessions
> StandardManager at 1109945560722 sessioncount 0
> DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]]
> org.apache.catalina.session.ManagerBase - Start expire sessions
> StandardManager at 1109945560722 sessioncount 0
--
Guillaume Lederrey
Informaticien Développement
Tecost - Technology Consulting Studies
Fribourg (Switzerland)
http://www.tecost.ch/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org