Search code examples
javaoracle-databaserestauthenticationwildfly-8

Wildfly - FailedLoginException: Password Incorrect/Password Required Exception


I have a small REST application written in JAVA and deployed on Wildfly 8.2. I get the error FailedLoginException: Password Incorrect/Password Required when I try to login using javax security library. What could be the cause here?

I send a request from browser with url http://localhost:8080/ACWildfly/loginService/login

Here is LoginService class:

package com.om.targin.admin;

import org.jboss.security.auth.callback.UsernamePasswordHandler;

import javax.security.auth.login.LoginContext;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Response;

@Path("/loginService")
public class LoginService {

    //  private static final Log logger = LogFactory.getFactory().getLog(LoginService.class.getName());

    @GET
    @Path("/login")
    public Response login() {
        //   logger.info("LoginService login is called.");
        try {
            LoginContext lc = null;
            String username = "UseR_U";
            String password = "hashedpassword";
            UsernamePasswordHandler handler = new UsernamePasswordHandler(username,
                    password == null ? null : password.toCharArray());
            lc = new LoginContext("targin-client", handler);
            lc.login();
            return Response.status(Response.Status.OK).build();
        }
        catch (Exception e){
            // logger.error("Exception has been occurred."+e.getMessage());
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
        }
    }
}

RestApplication class:

package com.om.targin.admin;

import org.glassfish.jersey.server.ResourceConfig;

import javax.ws.rs.ApplicationPath;

@ApplicationPath("/")
public class RestApplication extends ResourceConfig {

    public RestApplication() {
        packages("com.om.targin.admin");
    }
}

Login module:

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="org.jboss.login">
    <resources>
    <resource-root path="SPLoginModule.jar"/>
    </resources>

    <dependencies>
       <module name="org.picketbox"/>
       <module name="javax.api"/>
    </dependencies>
</module>

SPLoginModule class:

package tr.com.splogin;

import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.sql.DataSource;
import java.security.Principal;
import java.security.acl.Group;
import java.sql.*;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

public class SPLoginModule extends AbstractServerLoginModule {
    private static final int USER_LOCKEDOUT = 23;
    private static final int USER_VALFAIL = 24;
    private static final int USER_MAXATTEMPTS = 25;

    private static final String ROLE_GROUP_NAME = "Roles";
    private static final String ID_GROUP_NAME = "Id";

    private static Logger logger = LoggerFactory.getLogger(SPLoginModule.class);

    private static final SimplePrincipal GUEST = new SimplePrincipal("guest");
    private static boolean initialized = false;
    private static boolean initFailed = false;
    private static Connection conn;
    private static CallableStatement cs;
    private static PreparedStatement ps;
    private static ResultSet rs;
    /**
     * The principal to use when a null username and password are seen
     */
    private static Principal unauthenticatedIdentity;
    private static Map options;

    /**
     * The roles of the authenticated user
     */
    private Group[] roleSets;
    /**
     * The proof of login identity
     */
    private char[] credential;
    /**
     * The login identity
     */
    private Principal identity;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
        logger.info("initialize start");
        System.out.println("initialize start");
        super.initialize(subject, callbackHandler, sharedState, options);
        if (!initialized) {
            this.options = options;
            init(options);
            initialized = true;
        }
        logger.info("initialize stop");
    }

    private String getUsername() {
        String username = null;
        if (getIdentity() != null)
            username = getIdentity().getName();
        return username;
    }

    public boolean login() throws LoginException {
        System.out.println("login is called.");
        String[] info = getUsernameAndPassword();
        String username = info[0];
        String password = info[1];

        logger.info(username);
        logger.info(password);

        super.loginOk = false;

        if (username == null && password == null) {
            identity = unauthenticatedIdentity;
            Group roles = new SimpleGroup(ROLE_GROUP_NAME);
            Set groups = new HashSet();
            groups.add(roles);
            roles.addMember(GUEST);
            roleSets = new Group[groups.size()];
            groups.toArray(roleSets);
            logger.info("Authenticating as unauthenticatedIdentity=" + identity);
        }

        if (identity == null) {
            identity = new SimplePrincipal(username);
            login(username, password);
        }

        super.loginOk = true;
        logger.info("User '" + identity + "' authenticated, loginOk=" + loginOk);
        return true;
    }

    public Principal getIdentity() {
        return identity;
    }

    public Group[] getRoleSets() {
        return roleSets;
    }

    private void login(String username, String password) throws LoginException {
        System.out.println("login is called.");
        try {
            int userIdCode = 3;
            int resultCode = 4;
            int result, userId;

            cs.setString(1, username);
            cs.setString(2, password);
            cs.registerOutParameter(userIdCode, Types.INTEGER);
            cs.registerOutParameter(resultCode, Types.INTEGER);

            cs.execute();

            result = cs.getInt(resultCode);

            if (result == 0) {
                userId = cs.getInt(userIdCode);
                logger.info("Id: " + userId);

                Group roles = new SimpleGroup(ROLE_GROUP_NAME);
                Group id = new SimpleGroup(ID_GROUP_NAME);
                Set groups = new HashSet();
                String roleName;

                groups.add(roles);
                groups.add(id);

                ps.setInt(1, userId);
                rs = ps.executeQuery();

                id.addMember(new SimplePrincipal((new Integer(userId)).toString()));

                while (rs.next()) {
                    roleName = rs.getString(1);
                    logger.debug("Action: " + roleName);
                    roles.addMember(new SimplePrincipal(roleName));
                }
                roles.addMember(GUEST);

                roleSets = new Group[groups.size()];
                groups.toArray(roleSets);
            } else {
                String message = new String();
                roleSets = new Group[0];

                switch (result) {
                    case USER_VALFAIL:
                        System.out.println("login is failed.");
                        message = new String("Login failed");
                        break;
                    case USER_LOCKEDOUT:
                        message = new String("User is locked out");
                        break;
                    case USER_MAXATTEMPTS:
                        message = new String("Max number of attempts reached, user is locked out");
                        break;
                    default:
                        message = new String("Unkown failed login error with code: " + result);
                        break;
                }
                logger.info("Error result code: " + result);
                logger.info("Error message: " + message);
                throw new FailedLoginException(message);
            }
        } catch (SQLException e) {
            logger.error(e.toString());
            init(options);
            if (!initFailed)
                login(username, password);
        } finally {
            try {
                if (rs != null)
                    rs.close();
            } catch (SQLException e1) {
                logger.error(e1.toString());
            }
        }
    }

    private void init(Map options) {
        logger.info("init");
        try {
            if (cs != null)
                cs.close();
            if (ps != null)
                ps.close();
            if (conn != null)
                conn.close();
        } catch (SQLException e) {
            logger.error(e.toString());
        }

        try {
            InitialContext ctx = new InitialContext();
            DataSource ds = (DataSource) ctx.lookup("java:/OracleDS");

            conn = ds.getConnection();
            String sp_login = "{call admin_pck.pc_login(?,?,?,?)}";
            String query_user_action = "select aa.name from admin_user au,admin_role ar,admin_action aa,admin_user_role aur,admin_role_action ara,owner o where au.id=? and aur.id_admin_user=au.id and aa.id=ara.id_admin_action and ara.id_admin_role=ar.id and ar.id=aur.id_role and o.id=aur.id_owner and o.id=au.id_primary_owner order by aa.name";

            cs = conn.prepareCall(sp_login);
            ps = conn.prepareStatement(query_user_action);

            String name = (String) options.get("unauthenticatedIdentity");
            if (name != null) {
                unauthenticatedIdentity = new SimplePrincipal(name);
                logger.info("Saw unauthenticatedIdentity=" + name);
            }
            initFailed = false;
        } catch (NamingException e) {
            logger.error(e.toString());
            initFailed = true;
        } catch (SQLException e) {
            logger.error(e.toString());
            initFailed = true;
        }
    }

    /**
     * Called by login() to acquire the username and password strings for
     * authentication. This method does no validation of either.
     *
     * @return String[], [0] = username, [1] = password
     * @throws LoginException thrown if CallbackHandler is not set or fails.
     */
    protected String[] getUsernameAndPassword() throws LoginException {
        String[] info = {null, null};
        // prompt for a username and password
        if (callbackHandler == null) {
            throw new LoginException("Error: no CallbackHandler available to collect authentication information");
        }
        NameCallback nc = new NameCallback("User name: ");
        PasswordCallback pc = new PasswordCallback("Password: ", false);
        Callback[] callbacks = {nc, pc};
        String username = null;
        String password = null;
        try {
            callbackHandler.handle(callbacks);
            username = nc.getName();
            char[] tmpPassword = pc.getPassword();
            if (tmpPassword != null) {
                credential = new char[tmpPassword.length];
                System.arraycopy(tmpPassword, 0, credential, 0, tmpPassword.length);
                pc.clearPassword();
                password = new String(credential);
            }
        } catch (java.io.IOException e) {
            throw new LoginException(e.toString());
        } catch (UnsupportedCallbackException e) {
            throw new LoginException("CallbackHandler does not support: " + e.getCallback());
        }
        info[0] = username;
        info[1] = password;
        return info;
    }
}

jboss-deploynment-structure.xml under WEB-INF:

<jboss-deployment-structure>
    <deployment>
        <dependencies>
            <module name="org.jboss.login" />
        </dependencies>
    </deployment>
</jboss-deployment-structure>

jboss-web.xml under WEB-INF:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web version="7.1" xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_7_1.xsd">
    <security-domain>java:/jaas/targin-server</security-domain>
</jboss-web>

standalone-full.xml security-domain configuration:

<security-domain name="targin-server" cache-type="default">
                    <authentication>
                        <login-module code="tr.com.splogin.SPLoginModule" flag="required" module="org.jboss.login">
                            <module-option name="unauthenticatedIdentity" value="guest"/>
                        </login-module>
                    </authentication>
                </security-domain>

Oracle Data Source:

<datasource jta="true" jndi-name="java:/OracleDS" pool-name="OracleDS" enabled="true" use-ccm="true">
                    <connection-url>jdbc:oracle:thin:@10.23.4.567:1521:DBSID</connection-url>
                    <driver-class>oracle.jdbc.OracleDriver</driver-class>
                    <driver>oracle</driver>
                    <security>
                        <user-name>dbuser</user-name>
                        <password>dbpass</password>
                    </security>
                    <validation>
                        <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
                        <background-validation>true</background-validation>
                        <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
                        <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
                    </validation>
                </datasource>

Stacktrace:

Exception e: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required

org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284)"
org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:147)"
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)"
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)"
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)"
java.lang.reflect.Method.invoke(Unknown Source)"
javax.security.auth.login.LoginContext.invoke(Unknown Source)"
javax.security.auth.login.LoginContext.access$000(Unknown Source)"
javax.security.auth.login.LoginContext$4.run(Unknown Source)"
javax.security.auth.login.LoginContext$4.run(Unknown Source)"
"java.security.AccessController.doPrivileged(Native Method)"
javax.security.auth.login.LoginContext.invokePriv(Unknown Source)"
javax.security.auth.login.LoginContext.login(Unknown Source)"
com.om.targin.admin.LoginService.login(LoginService.java:26)"
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)"
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)"
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)"
java.lang.reflect.Method.invoke(Unknown Source)"
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)"
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)"
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)"
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:237)"
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)"
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)"
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)"
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)"
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)"
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)"
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)"
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)"
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)"
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)"
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)"
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)"
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)"
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)"
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)"
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)"
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)"
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)"
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)"
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)"
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)"
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)"
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)"
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)"
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:248)"
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:77)"
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:167)"
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)"
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761)"
java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)"
java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)"
java.lang.Thread.run(Unknown Source)

Thanks in advance.


Solution

  • I figured it out. Quite a small and silly error actually.

    In my LoginService class, when it creates Logincontext I pass in name parameter as 'targin-client' whereas I should pass it as 'targin-server' which is the login module I defined for the app.

            LoginContext lc = null;
            String username = "UseR_U";
            String password = "hashedpassword";
            UsernamePasswordHandler handler = new UsernamePasswordHandler(username,
                    password == null ? null : password.toCharArray());
            lc = new LoginContext("targin-client", handler);
            lc.login();
    

    The correct version is:

            lc = new LoginContext("targin-server", handler);
    

    While creating a login context we pass in a security domain which points to a login module that is defined under Wildfly modules and handles authentication. Also, notice that I am using picketbox security library from Wildfly. SPLoginModule class inherits from this library.

    Cheers.