I' am trying to get a JSF Application run on JBoss 7.1.2 configured with the JAAS Security Module. Basically the login works, but after succsessfull verifying the user and granting the roles, the Roles are overridden again and the user has not any permissions and will be redirected to the access-denied page.
Maybe I missed something in the configuration but I really have no clue what could be wrong
Here are my configurations:
standalone.xml configuration of the security system:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="MpsAdminRealm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:/datasources/iPadDSForAllApps"/>
<module-option name="principalsQuery" value="select password from ADMIN_ACCOUNT where username=?"/>
<module-option name="rolesQuery" value="SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
the web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>mps-admin</display-name>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
<url-pattern>*.jsf</url-pattern>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Area</web-resource-name>
<url-pattern>/pages/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN_AREA</role-name>
<role-name>USER_AREA</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Login page -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MpsAdminRealm</realm-name>
<form-login-config>
<form-login-page>/pages/public/login.xhtml</form-login-page>
<form-error-page>/pages/public/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<!-- System roles -->
<security-role >
<role-name>ADMIN_AREA</role-name>
</security-role>
<security-role>
<description>User Permission for the User Area of the Application</description>
<role-name>USER_AREA</role-name>
</security-role>
<error-page>
<error-code>403</error-code>
<location>/pages/public/access_denied.xhtml</location>
</error-page>
<welcome-file-list>
<welcome-file>/pages/protected/user/startseite.xhtml</welcome-file>
</welcome-file-list>
</web-app>
My jboss-web.xml
<?xml version='1.0' encoding='UTF-8'?>
<jboss-web>
<!-- URL to access the web module -->
<context-root>/mps-admin</context-root>
<!-- Realm that will be used -->
<security-domain>java:/jaas/MpsAdminRealm</security-domain>
<use-jboss-authorization>false</use-jboss-authorization>
</jboss-web>
And finally the Log output when I try to access the protected area:
09:55:56,912 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) initialize
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Security domain: MpsAdminRealm
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) DatabaseServerLoginModule, dsJndiName=java:/datasources/iPadDSForAllApps
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) principalsQuery=select password from ADMIN_ACCOUNT where username=?
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) rolesQuery=SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) suspendResume=true
09:55:57,694 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) login
09:55:57,718 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) suspendAnyTransaction
09:55:57,719 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: getConnection(null, WrappedConnectionRequestInfo@5ead5494[userName=ipadpdf]) [1/5]
09:55:57,720 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Excuting query: select password from ADMIN_ACCOUNT where username=?, with username: harald
09:55:57,772 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Obtained user password
09:55:57,773 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: returnConnection(48885a6e, false) [1/4]
09:55:57,773 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) resumeAnyTransaction
09:55:57,774 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) User 'harald' authenticated, loginOk=true
09:55:57,774 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) commit, loginOk=true
09:55:57,776 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) getRoleSets using rolesQuery: SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?, username: harald
09:55:57,779 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) suspendAnyTransaction
09:55:57,780 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: getConnection(null, WrappedConnectionRequestInfo@5ead5494[userName=ipadpdf]) [1/5]
09:55:57,780 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Excuting query: SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?, with username: harald
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role ACCOUNT_ADMINISTRATION
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role ADMIN_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role APA_ADMIN_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role CREATE_APPLICATION
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role ROLE_ADMINISTRATION
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role SYS_ADMIN_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role USER_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role USER_PROFILE
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role USER_SETTINGS
09:55:57,787 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: returnConnection(48885a6e, false) [1/4]
09:55:57,787 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) resumeAnyTransaction
09:55:57,788 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost/127.0.0.1:8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@2780a3db, subject=Subject(1003537020).principals=org.jboss.security.SimplePrincipal@1932581337(harald)org.jboss.security.SimpleGroup@1053755336(CallerPrincipal(members:harald))org.jboss.security.SimpleGroup@1053755336(ROLES(members:CREATE_APPLICATION,USER_AREA,APA_ADMIN_AREA,USER_PROFILE,SYS_ADMIN_AREA,USER_SETTINGS,ACCOUNT_ADMINISTRATION,ADMIN_AREA,ROLE_ADMINISTRATION))
09:55:57,789 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost/127.0.0.1:8080-1) End isValid, true
09:55:57,795 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Authenticated 'harald' with type 'LOGIN'
09:55:57,810 FINE [javax.enterprise.resource.webcontainer.jsf.lifecycle] (http-localhost/127.0.0.1:8080-1) Exiting InvokeApplicationsPhase
09:55:57,810 FINE [javax.enterprise.resource.webcontainer.jsf.timing] (http-localhost/127.0.0.1:8080-1) [TIMING] - [2955ms] : Execution time for phase (including any PhaseListeners) -> INVOKE_APPLICATION 5
09:55:57,810 FINE [javax.enterprise.resource.webcontainer.jsf.lifecycle] (http-localhost/127.0.0.1:8080-1) render(org.primefaces.context.PrimeFacesContext@4fcb2eda)
09:55:57,810 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost/127.0.0.1:8080-1) Setting threadlocal:null
09:55:57,814 DEBUG [org.apache.tomcat.util.http.Cookies] (http-localhost/127.0.0.1:8080-1) Cookies: Parsing b[]: JSESSIONID=JQw37EFGDsqHhV9CezWXrrZH; jm_earth_tpl=jm_earth
09:55:57,815 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Security checking request GET /mps-admin/pages/protected/user/startseite.xhtml
09:55:57,815 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) We have cached auth type LOGIN for principal GenericPrincipal[harald()]
09:56:15,192 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1402559775192 sessioncount 0
09:56:15,192 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
09:56:25,193 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1402559785193 sessioncount 1
09:56:25,193 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
09:56:29,207 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) Checking constraint 'SecurityConstraint[Restricted Area]' against GET /pages/protected/user/startseite.xhtml --> true
09:56:29,208 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) Checking constraint 'SecurityConstraint[Restricted Area]' against GET /pages/protected/user/startseite.xhtml --> true
09:56:29,208 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Calling hasUserDataPermission()
09:56:29,208 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) User data constraint has no restrictions
09:56:29,208 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Calling authenticate()
09:56:29,209 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-localhost/127.0.0.1:8080-1) Already authenticated 'harald'
09:56:29,209 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Calling accessControl()
09:56:29,209 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) Checking roles GenericPrincipal[harald()]
09:56:29,210 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) Username harald does NOT have role ADMIN_AREA
09:56:29,210 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) No role found: ADMIN_AREA
09:56:29,210 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) Username harald does NOT have role USER_AREA
09:56:29,211 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) No role found: USER_AREA
09:56:29,211 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Failed accessControl() test
09:56:29,211 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost/127.0.0.1:8080-1) Setting threadlocal:null
09:56:29,212 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host]] (http-localhost/127.0.0.1:8080-1) Processing ErrorPage[errorCode=403, location=/pages/public/access_denied.xhtml]
As you can see the authentication works but afterwards the Roles are overriden (Setting threadlocal:null)
Does anyone have an idea what is going wrong?
I found the problem,
was a mistake in the configuration.
The rolesquery in the standalone.xml was wrong. I put the 'Roles' in uppercases
<module-option name="rolesQuery" value="SELECT ADMIN_PERMISSION.NAME, 'Roles' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?"/>