Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

renz
This post was updated on .
Hi,

I'm having trouble migrating from TomEE 1.7.1 to 1.7.5.
I'm using Remote Stateless EJB over HTTPS (TomEE apps) for years with 1.7.1.
On the server side, I use my own on JAAS Module (Realm and LoginModule) and
SecurityService.

The purpose of my JassRealm and SecurityService was to propagate
LoginException throw by my LoginModule (see.
http://tomee-openejb.979440.n4.nabble.com/Remote-EJB-Client-Authentication-JAAS-td4666734.html#a4666784).

Now, with version 1.7.5 I'm having trouble and I'm suspecting that my
SecurityService is not used anymore, since I don't see it in the stacktrace.

Stacktrace with TomEE 1.7.1 :
javax.security.auth.login.AccountLockedException: Votre compte a été bloqué. Veuillez prendre contact avec votre administrateur.
        at com.bar.foo.security.jaas.FooBarLoginModule.authentifier(FooBarLoginModule.java:371)
        at com.bar.foo.security.jaas.FooBarLoginModule.login(FooBarLoginModule.java:265)
        at sun.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
        at com.bar.foo.security.jaas.FooBarJAASRealm.authenticate(FooBarJAASRealm.java:76)
        at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:354)
        at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
        at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
        at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
        at org.apache.tomee.catalina.TomEERealm.authenticate(TomEERealm.java:43)
        at com.bar.foo.security.securityservice.FooBarSecurityService.login(FooBarSecurityService.java:74)
        at com.bar.foo.security.securityservice.FooBarSecurityService.login(FooBarSecurityService.java:40)
        at org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest(AuthRequestHandler.java:71)
        at org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest(EjbDaemon.java:352)
        at org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:246)
        at org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:86)
        at org.apache.openejb.server.httpd.ServerServlet.service(ServerServlet.java:58)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2377)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)


Stacktrace with TomEE 1.7.5 :
javax.security.auth.login.AccountLockedException: Votre compte a été bloqué. Veuillez prendre contact avec votre administrateur.
        at com.bar.foo.security.jaas.FooBarLoginModule.authentifier(FooBarLoginModule.java:426)
        at com.bar.foo.security.jaas.FooBarLoginModule.login(FooBarLoginModule.java:296)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
        at com.bar.foo.security.jaas.FooBarJAASRealm.authenticate(FooBarJAASRealm.java:76)
        at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:354)
        at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:181)
        at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:158)
        at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:181)
        at org.apache.tomee.catalina.TomEERealm.authenticate(TomEERealm.java:43)
        at org.apache.tomee.catalina.TomcatSecurityService.login(TomcatSecurityService.java:93)
        at org.apache.tomee.catalina.TomcatSecurityService.login(TomcatSecurityService.java:41)
        at org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest(AuthRequestHandler.java:79)
        at org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest(EjbDaemon.java:369)
        at org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:263)
        at org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:104)
        at org.apache.openejb.server.httpd.ServerServlet.service(ServerServlet.java:58)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
        at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at com.bar.foo.security.jaas.FooBarDnValve.invoke(FooBarDnValve.java:36)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2486)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)


As you can see, in first case
"com.bar.foo.security.securityservice.FooBarSecurityService.login" is called
where as "org.apache.tomee.catalina.TomcatSecurityService.login" in second
one.

Configuration seems to be the same with both versions :
- Security Service is declared in tomee.xml and loaded at startup according
to catalina.out
- JaasRealm is declared using <Realm> in server.xml
- I also add a login.conf to declare my LoginModule.

In both case, JaasRealm and LoginModule are called as expected.
Only the SecurityService is not.

Is there any difference using SecurityService between TomEE 1.7.1 and 1.7.5
?

Thank you very much.




--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

chongma
i can't see your stack traces


On 21/05/18 15:50, renz wrote:

> Hi,
>
> I'm having trouble migrating from TomEE 1.7.1 to 1.7.5.
> I'm using Remote Stateless EJB over HTTPS (TomEE apps) for years with 1.7.1.
> On the server side, I use my own on JAAS Module (Realm and LoginModule) and
> SecurityService.
>
> The purpose of my JassRealm and SecurityService was to propagate
> LoginException throw by my LoginModule (see.
> http://tomee-openejb.979440.n4.nabble.com/Remote-EJB-Client-Authentication-JAAS-td4666734.html#a4666784).
>
> Now, with version 1.7.5 I'm having trouble and I'm suspecting that my
> SecurityService is not used anymore, since I don't see it in the stacktrace.
>
> Stacktrace with TomEE 1.7.1 :
>
>
>
> Stacktrace with TomEE 1.7.5 :
>
>
> As you can see, in first case
> "com.bar.foo.security.securityservice.FooBarSecurityService.login" is called
> where as "org.apache.tomee.catalina.TomcatSecurityService.login" in second
> one.
>
> Configuration seems to be the same with both versions :
> - Security Service is declared in tomee.xml and loaded at startup according
> to catalina.out
> - JaasRealm is declared using <Realm> in server.xml
> - I also add a login.conf to declare my LoginModule.
>
> In both case, JaasRealm and LoginModule are called as expected.
> Only the SecurityService is not.
>
> Is there any difference using SecurityService between TomEE 1.7.1 and 1.7.5
> ?
>
> Thank you very much.
>
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html

Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

renz
Hi Chongma, I've edited my first post.
Thanks.



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

Romain Manni-Bucau
Hi

did you check your impl was instantiated?
if no I suspect it is already available in the SystemInstance at
https://github.com/apache/tomee/blob/5e75f652cf96e1d95e3a5504f27306f6d6fb85f2/container/openejb-core/src/main/java/org/apache/openejb/assembler/classic/Assembler.java#L3455
but we still use the same loading mecanism. If you can share you setup we
can maybe have a deeper look.

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le lun. 21 mai 2018 à 19:04, renz <[hidden email]> a écrit :

> Hi Chongma, I've edited my first post.
> Thanks.
>
>
>
> --
> Sent from:
> http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

renz
This post was updated on .
Hi Romain,

Sorry for my late reply.
I'm not sure to understand your message.

How can i check that my Imp is instatied?
Below an extract of Tomee's startup logs :
 
mai 30, 2018 10:58:57 AM org.apache.openejb.config.ConfigurationFactory configureService
INFOS: Configuring Service(id=My Own Security Service, type=SecurityService, provider-id=FooBar Security Service)
and
mai 30, 2018 10:59:08 AM org.apache.openejb.assembler.classic.Assembler createRecipe
INFOS: Creating SecurityService(id=My Own Security Service)



Which part of my setup do you need?

Thank you.




--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

Romain Manni-Bucau
Hi,

it seems some mail client (not sure it is yours or mine) ate the log
you pasted (= I cant read it).
The easiest is likely to check the log which should say which security
service it creates but you can also just put a breakpoint in your
instance to check.

Romain Manni-Bucau
@rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book

Le mer. 30 mai 2018 à 11:04, renz <[hidden email]> a écrit :

>
> Hi Romain,
>
> Sorry for my late reply.
> I'm not sure to understand your message.
>
> How can i check that my Imp is instatied?
> Below an extract of Tomee's startup logs :
>
>
> and
>
>
>
> Which part of my setup do you need?
>
> Thank you.
>
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

renz
I've edited my previous post.
I'm using nabble and I had the same issue with my first message (maybe it's
du to the preview).



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

Romain Manni-Bucau
Looks good,

maybe give a try to some debugging, hopefully it is some signature
change you dont have in your impl.

Romain Manni-Bucau
@rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book

Le mer. 30 mai 2018 à 16:08, renz <[hidden email]> a écrit :
>
> I've edited my previous post.
> I'm using nabble and I had the same issue with my first message (maybe it's
> du to the preview).
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

renz
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

Romain Manni-Bucau
You can launch tomee in remote debug mode (export JPDA_SUSPEND=y &&
export JPDA_ADDRESS=5005 in setenv.sh) , then connect to tomee through
an IDE: you have the option in the run configurations.

Romain Manni-Bucau
@rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
Le jeu. 31 mai 2018 à 11:08, renz <[hidden email]> a écrit :
>
> How can I debug it?
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

renz
I'm sorry. I don't understand when and how to set a breakpoint.




--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Own SecurityService ignored migrating from TomEE Plus 1.7.1 to 1.7.5

renz
I've found how to set breakpoints, it was as simple as with a local app.

My problem was that I've left my old SecurityService jar in tomee/lib.
I delete it, and now everything is allright.

For people how have trouble with SecurityService migrating from 1.7.1 to
1.7.5, you have to implement "public UUID login(String realmName, String
username, String password, final long accessTimeout) throws LoginException".
With 1.7.1, there was no "accessTimeout".

Thank you very much for your help!!!



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html