JIRA 4.4: java.lang.SecurityException: Unable to locate a login configuration
Valentijn
Javameldoy plugin is running fine in jira.
For security reasons I tried to setup a username/password for the /
monitoring context, but it doesn't work.
I followed the userguide and double checked the steps involved, but I
am getting the exception below:
29-jan-2012 1:01:25 org.apache.catalina.realm.JAASRealm authenticate
SEVERE: Unexpected error
java.lang.SecurityException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:93)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:
39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:
27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at javax.security.auth.login.Configuration$3.run(Configuration.java:
247)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.Configuration.getConfiguration(Configuration.java:
242)
at javax.security.auth.login.LoginContext$1.run(LoginContext.java:
237)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:
403)
at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:
393)
at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:
334)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:
181)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
528)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
109)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
554)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
298)
at
org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:
864)
at org.apache.coyote.http11.Http11AprProtocol
$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:
1665)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.IOException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:250)
at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:91)
... 26 more
Could it be that CATALINA_HOME or something is different in JIRA
startup so it can't find the tomcat-users.xml file or something?
Thanks for your help,
Valentijn
Valentijn
Vernat Emeric
When using the javamelody plugin for JIRA, Confluence or Bamboo [1], the
plugin already checks that the user is connected as system admin.
Given that the system admin can see all admin tabs in JIRA / Confluence
/ Bamboo, I would think that seeing the javamelody monitoring page does
not need more permission.
And I would think that this check is enough and you don't need to add more.
By the way, when using the "monitoring" javamelody plugin [2] for
Jenkins or Hudson and when the security is enabled in Jenkins / Hudson,
the "monitoring" plugin also checks that the user is connected as admin.
That said, if you really wish to add more checks, yes the Tomcat
configuration and the authentication configuration in JIRA are quite
specialized for JIRA, but I do not know the details of what is
configured in JIRA's Tomcat.
And, because you were speaking about the collect server before, do you
want in fact to connect a collect server to the monitoring of JIRA? If
yes, have you used "-Djavamelody.plugin-authentication-disabled=true"
and "-Djavamelody.allowed-addr-pattern=....."?
bye,
Emeric
[1] https://plugins.atlassian.com/plugin/details/20909
[2] https://wiki.jenkins-ci.org/display/JENKINS/Monitoring
Le 29/01/2012 01:16, Valentijn a �crit :
Valentijn
I didn't notice the monitoring url was protected by jira administrator
rights.
Is it documented somewhere? From the atlassian-plugin.xml I deduct
that the user needs to be SYSTEM-administrator?
<!-- Pour compatibilite avec Confluence, on ne met pas cette condition
qui n'est pas
necessaire si la section est system.admin/system
<condition
class="com.atlassian.jira.plugin.webfragment.conditions.UserIsSysAdminCondition" /
>-->
The condition is commented out, but I think my french is good enough
to understand that the condition isn't necessary because it's in the
system.admin section ?
I also notice that when I browse to <jira>/monitoring manually, it
also checks whether the user is logged in.
Does it also check system-administrator permission?
where is it configured that the /monitoring url should be behind login
and has certain permissions to be met?
I'm just curious, as I am a JIRA fanboy.
Thanks,
Valentijn
Vernat Emeric
I think that checking permission in the JIRA plugin is not documented:
"it just works".
Yes it checks that the user is connected and that the user has the
System-Admin permission in JIRA.
This check is done everytime when the "/monitoring" url is called, when
it is called by using the menu in the JIRA's administration and when the
"/monitoring" url is called directly.
The web-item in atlassian-plugin.xml is there just to add an item (a
link) in the JIRA's administration.
Checking the user and the permission for JIRA, Confluence and Bamboo is
in fact coded there and there in the servlet filter:
http://code.google.com/p/javamelody/source/browse/trunk/javamelody-core/src/main/java/net/bull/javamelody/JiraMonitoringFilter.java#68
http://code.google.com/p/javamelody/source/browse/trunk/javamelody-core/src/main/java/net/bull/javamelody/JiraMonitoringFilter.java#136
(You can see that this code was changed recently to be compatible with
JIRA 5 RC)
bye,
Emeric
Le 29/01/2012 23:34, Valentijn a �crit :