You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Guillaume Lederrey <Ge...@ledcom.ch> on 2005/03/04 15:23:03 UTC

Authentication and logging problem

  Hello !

  I'm having problem with a JAAS authentication realm. I created a 
LoginModule, configured it as explained in 
http://forum.java.sun.com/thread.jspa?threadID=233317&tstart=0, defined the 
permissions in my WEB-INF/web.xml ...

  The log statements (System.out.println()) I have in my login module show 
that the user is authenticated and that the correct roles are added to the 
subject. BUT : I still get a 403 when trying to access my servlets.

  I installed a log4j logger for Tomcat as explained in 
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html to get some more 
informations. The relevant lines are included below.

  It seems the roles didnt get added, wich is not consistant with what I read 
in my LoginModule doc ...

  My context definition (in conf/server.xml) is :
<Context path="/siems-ds"
  docBase="/home/gehel/tecost/siems/siems/ds/target/siems-ds-0.1-SNAPSHOT.war/"
  privileged="true"
  reloadable="true">
  <Realm className="org.apache.catalina.realm.JAASRealm"
         appName="SIEMS-ds"
         userClassNames="ch.tecost.siems.jaas.UserPrincipal"
         roleClassNames="ch.tecost.siems.jaas.RolePrincipal"
         debug="99"/>
</Context>


the following code is used to add roles in the commit() method of the 
LoginModule, "subject" is the subject received in "initialize()"

  log("adding roles ...");
      Collection roleList = RolePrincipal.findByUser(DBAccess
          .currentConnection(), userPrincipal);
      for (Iterator it = roleList.iterator(); it.hasNext();) {
        RolePrincipal role = (RolePrincipal) it.next();
        log("Adding role : " + role.getName());
        subject.getPrincipals().add(role);
      }

  Does anybody have any idea where i should be looking to find the solution ?

 Thanks

   Guillaume Lederrey


 DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase -   Checking 
constraint 'SecurityConstraint[SIEMS - Data Service protected area]' against 
GET /UserList --> true
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAASRealm 
login requested for username "admin" using LoginContext for application 
"SIEMS-ds"
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Login 
context created admin
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAAS 
LoginContext created for username "admin"
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking 
Principal "admin" [ch.tecost.siems.jaas.UserPrincipal]
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Principal 
"admin" is a valid user class. We will use this as the user Principal.
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No valid 
role Principals found.
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Username 
"admin" successfully authenticated as Principal "{1}" -- Subject was created 
too
 DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase -   Checking 
roles admin
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if 
user Principal "admin" possesses role "Root"
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles 
Principals found. User Principal or Subject is null, or user Principal not in 
cache
 DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role 
found:  Root
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if 
user Principal "admin" possesses role "Admin"
 DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles 
Principals found. User Principal or Subject is null, or user Principal not in 
cache
 DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role 
found:  Admin
 DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]] 
org.apache.catalina.session.ManagerBase - Start expire sessions 
StandardManager at 1109945560722 sessioncount 0
 DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]] 
org.apache.catalina.session.ManagerBase - Start expire sessions 
StandardManager at 1109945560722 sessioncount 0


-- 


Guillaume Lederrey
Informaticien Développement
Tecost - Technology Consulting Studies
Fribourg (Switzerland)
http://www.tecost.ch/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Authentication and logging problem

Posted by Guillaume Lederrey <Ge...@ledcom.ch>.

  I found the problem :

  I was using a UserPrincipal and a RolePrincipal that had a case insensitive 
equals() method. I was first adding the UserPrincipal with name "admin", and 
then adding a RolePrincipal with name "Admin". The case insensitive equals() 
implies that the Role was not added as it was equals to the User ...

  Pretty easy problem, but I still took 1 full day to track it down !

    Guillaume


On Friday 04 March 2005 15.23, Guillaume Lederrey wrote:
>   I'm having problem with a JAAS authentication realm. I created a
> LoginModule, configured it as explained in
> http://forum.java.sun.com/thread.jspa?threadID=233317&tstart=0, defined the
> permissions in my WEB-INF/web.xml ...
>
>   The log statements (System.out.println()) I have in my login module show
> that the user is authenticated and that the correct roles are added to the
> subject. BUT : I still get a 403 when trying to access my servlets.
>
>   I installed a log4j logger for Tomcat as explained in
> http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html to get some
> more informations. The relevant lines are included below.
>
>   It seems the roles didnt get added, wich is not consistant with what I
> read in my LoginModule doc ...
>
>   My context definition (in conf/server.xml) is :
> <Context path="/siems-ds"
>  
> docBase="/home/gehel/tecost/siems/siems/ds/target/siems-ds-0.1-SNAPSHOT.war
>/" privileged="true"
>   reloadable="true">
>   <Realm className="org.apache.catalina.realm.JAASRealm"
>          appName="SIEMS-ds"
>          userClassNames="ch.tecost.siems.jaas.UserPrincipal"
>          roleClassNames="ch.tecost.siems.jaas.RolePrincipal"
>          debug="99"/>
> </Context>
>
>
> the following code is used to add roles in the commit() method of the
> LoginModule, "subject" is the subject received in "initialize()"
>
>   log("adding roles ...");
>       Collection roleList = RolePrincipal.findByUser(DBAccess
>           .currentConnection(), userPrincipal);
>       for (Iterator it = roleList.iterator(); it.hasNext();) {
>         RolePrincipal role = (RolePrincipal) it.next();
>         log("Adding role : " + role.getName());
>         subject.getPrincipals().add(role);
>       }
>
>   Does anybody have any idea where i should be looking to find the solution
> ?
>
>  Thanks
>
>    Guillaume Lederrey
>
>
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase -  
> Checking constraint 'SecurityConstraint[SIEMS - Data Service protected
> area]' against GET /UserList --> true
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm -
> JAASRealm login requested for username "admin" using LoginContext for
> application "SIEMS-ds"
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Login
> context created admin
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAAS
> LoginContext created for username "admin"
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking
> Principal "admin" [ch.tecost.siems.jaas.UserPrincipal]
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm -
> Principal "admin" is a valid user class. We will use this as the user
> Principal. DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm
> - No valid role Principals found.
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Username
> "admin" successfully authenticated as Principal "{1}" -- Subject was
> created too
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase -  
> Checking roles admin
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking
> if user Principal "admin" possesses role "Root"
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles
> Principals found. User Principal or Subject is null, or user Principal not
> in cache
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role
> found:  Root
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking
> if user Principal "admin" possesses role "Admin"
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles
> Principals found. User Principal or Subject is null, or user Principal not
> in cache
>  DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role
> found:  Admin
>  DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]]
> org.apache.catalina.session.ManagerBase - Start expire sessions
> StandardManager at 1109945560722 sessioncount 0
>  DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]]
> org.apache.catalina.session.ManagerBase - Start expire sessions
> StandardManager at 1109945560722 sessioncount 0

-- 


Guillaume Lederrey
Informaticien Développement
Tecost - Technology Consulting Studies
Fribourg (Switzerland)
http://www.tecost.ch/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org