PDA

View Full Version : Problem with authentication and security


gbulfon
09-20-2010, 10:56 AM
Hello, I have a webapp already running under Tomcat 5/6, and I'm trying
to make it work under Resin 4.
It uses JAAS with our own LoginModule.
The web.xml has security-constraint setup to run my own Login form,
the goes through the jaas authentication, then (once authenticated) goes
through my own RequestListener to setup some stuff before it goes to the welcome-file, my Start servlet.

I can see all the process goes fine untile the Start servlet, where I get an
"HTTP/1.1 403 Forbidden" page.
I could not find any reason in the logs, so I turned on fine logs.
here is what I find in the logs (after my own debugging infos correctly running Jaas and RequestListener setup):


[10-09-17 15:43:17.416] {http://*:18081-2} Dispatch '/Start' to AccessLogFilterChain[http://localhost:18081/webtop, next=WebAppFilterChain[http://localhost:18081/webtop, next=com.caucho.server.security.SecurityFilterChai n@b6be7ee]]
[10-09-17 15:43:17.416] {http://*:18081-2} HttpServletRequestImpl[HttpRequest[2]] failed [name='*myemail*' - description='Sonicle'] in role: sonicleuser
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] HTTP/1.1 403 Forbidden
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] Content-Type: text/html; charset=utf-8
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] Content-Length: 978
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] write-set-offset(1124)
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] finish/keepalive


Here is the web.xml security part:


....
<welcome-file-list>
<welcome-file>Start</welcome-file>
</welcome-file-list>
<security-role>
<role-name>sonicleuser</role-name>
</security-role>
<security-constraint>
<display-name>SonicleWebApp</display-name>
<web-resource-collection>
<web-resource-name>SonicleWebApp</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>sonicleuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login</form-login-page>
<form-error-page>/Login?error=1</form-error-page>
</form-login-config>
</login-config>
....


The "sonicleuser" role is setup by my Jaas Login modules, and it is stated
correctly by Resin logs.

My Login modules will use JNDI to locate database, so here is my resin-web.xml configured both for JNDI and Jaas:


<authenticator type="com.caucho.server.security.JaasAuthenticator">
<init>
<login-module>com.sonicle.security.login.SonicleLogin</login-module>
<init-param>
<db>jndi://webtop2</db>
</init-param>
</init>
</authenticator>

<database jndi-name='jdbc/webtop2'>
<driver type="org.postgresql.Driver">
<url>jdbc:postgresql://myhost:5432/webtop</url>
<user>user</user>
<password>password</password>
</driver>
</database>


The Login module get called correctly, because I see al the login debugs
before the error. All needed jars are inside the Resin lib folder.

Do you have any idea? How can I better understand what happens in the logs?

Thanx,
Gabriele.

emil
09-23-2010, 10:29 PM
Hi Gabriele,

Are you able to see if your database is being accessed? I guess it depends on how your plugin is interpreting the database's JNDI string, but we'd typically write it as "jdbc/webtop". If the database is being accessed ok and the JAAS plugin is returning the correct role, then it could be a bug in the JaasAuthenticator or something else in Resin.

Best,
Emil

gbulfon
10-05-2010, 03:50 PM
Hi, the "jndi://webtop2" init parameter is interpreted by our plugin module, because it may be specified with various authentication methods (jndi,ssh,imap,vfs...).
In case of jndi it assumes it is a jdbc resource, so it is our code that will transform the jndi lookup to "jdbc/webtop2".
In fact, the authentication is correctly done: the logs from my code shows it is done and session initialization is done in my RequestListener (just after authentication is succesful).
The sequence of access to servlets is:
Login -> j_security_check -> Start (as by the welcome-file directive).
Each of them is preceded by our RequestListener code, that will prepare the session upon valid authentication (when Start is called).
As you can see, it is the Start servlet that is failing, just after the RequestListener code (I see that this code is ran by the logs it emits before failing, so the session is actually prepared):


[10-09-17 15:43:17.416] {http://*:18081-2} Dispatch '/Start' to AccessLogFilterChain[http://localhost:18081/webtop, next=WebAppFilterChain[http://localhost:18081/webtop, next=com.caucho.server.security.SecurityFilterChai n@b6be7ee]]
[10-09-17 15:43:17.416] {http://*:18081-2} HttpServletRequestImpl[HttpRequest[2]] failed [name='*myemail*' - description='Sonicle'] in role: sonicleuser
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] HTTP/1.1 403 Forbidden
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] Content-Type: text/html; charset=utf-8
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] Content-Length: 978
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] write-set-offset(1124)
[10-09-17 15:43:17.417] {http://*:18081-2} Http[2] finish/keepalive

If only I could receive more debug infos...