JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFailed

shwe...@rediffmail.com

unread,

Feb 29, 2008, 2:22:53 AM2/29/08

to

Hi, 
 
I am using WAS 6.1. I have created a custom login module and placed it in <WAS root>/lib/ext. I've configured my customlogin module in bot JAAS application logins and system logins. in System Logins I've added the customLoginModule in default, WEB_INBOUND, and RMI_INBOUND and mark it REQUIRED. after doing all this I m getting exception : 
com.ibm.websphere.wim.exception.PasswordCheckFailedException:CWWIM4537E No principal is found from the '<user name>' principal name. 
 
Then on the following link I found that it is a bug in websphere and they have released a fix pack for this. but unfortunately APAR PK46513 does not resolve the issue of User registry check during authentication for custom login modules. 
 
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PK46513 
 
even after applying fix pak 6.1.0.13 I m getting the same error. Kindly help me.

Paul Ilechko

unread,

Feb 29, 2008, 8:00:23 AM2/29/08

to

I suggest that you start by reading this paper:

http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html

shwe...@rediffmail.com

unread,

Mar 4, 2008, 2:42:24 AM3/4/08

to

Thanks Paul for your quick reply. . . 
I am able to authenticate the user using custom login module. But now I m stuck with authorization.I am using FormLogin. . .Once the authentication is successful I get the following error in SystemOut.log: 
 
SECJ0129E: Authorization failed for sysadmin while invoking GET on default_host:/webSecurity/restricted/SecureServlet, Authorization failed, Not granted any of the required roles: admin 
 
I am posting my LoginModule code here. . . 
 
public class SimpleLoginModule implements LoginModule { 
 
private Subject subject; 
private CallbackHandler callbackHandler; 
private String name; 
private String password; 
InitialContext ctx; 
UserRegistry reg; 
ArrayList<String> groups; 
String uniqueid ; 
 
public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { 
this.subject = subject; 
this.callbackHandler = callbackHandler; 
} 
 
public boolean login() throws LoginException { 
System.out.println("*************** Coming in login()of SimpleLoginModule ***************"); 
// Each callback is responsible for collecting a credential 
// needed to authenticate the user. 
NameCallback nameCB = new NameCallback("Username"); 
PasswordCallback passwordCB = new PasswordCallback("Password",false); 
Callback<a href="http://www-128.ibm.com/developerworks/forums/">] callbacks = new Callback[</a> { nameCB, passwordCB }; 
// Delegate to the provided CallbackHandler to gather the 
// username and password. 
try { 
callbackHandler.handle(callbacks); 
} catch (IOException e) { 
e.printStackTrace(); 
LoginException ex = new LoginException( 
"IOException logging in."); 
ex.initCause(e); 
throw ex; 
} catch (UnsupportedCallbackException e) { 
String className = e.getCallback().getClass().getName(); 
LoginException ex = new LoginException(className 
+ " is not a supported Callback."); 
ex.initCause(e); 
throw ex; 
} 
 
// Now that the CallbackHandler has gathered the username and password, 
// use them to authenticate the user against the expected passwords. 
name = nameCB.getName(); 
if(passwordCB.getPassword()!=null) 
password = String.valueOf(passwordCB.getPassword()); 
 
Hashtable<String, Object> hashtable = new Hashtable<String, Object>(); 
 
groups = new ArrayList<String>(); 
// add admin group 
groups.add("sysadmin"); 
groups.add("admin"); 
groups.add("Administrator"); 
groups.add("sysuser"); 
 
if ("sysadmin".equals(name) && "password".equals(password)) { 
// login in sysadmin 
Principal p = new SysAdminPrincipal(name); 
 
subject.getPrincipals().add(p); 
// stash in hashtable 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,name); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,name); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_PRIMARYGROUPID,"admin"); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,name+"MyCustom"); 
 
subject.getPublicCredentials().add(hashtable); 
return true; 
} else if ("sysuser".equals(name) && "password".equals(password)) { 
Principal p = new UserPrincipal(name); 
// login user 
subject.getPrincipals().add(p); 
// stash in hashtable 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,name); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,name); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups); 
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,name+"MyCustom"); 
 
subject.getPublicCredentials().add(hashtable); 
return true; 
} else { 
return false; 
} 
} 
 
public boolean commit() { 
System.out.println("************ Coming in Commit() of SimpleLoginModule *************"); 
// If this method is called, the user successfully authenticated, and 
// we can add the appropriate Principles to the Subject. 
if ("sysadmin".equals(name)) { 
password = null; 
return true; 
} else if ("sysuser".equals(name)) { 
password = null; 
return true; 
} else { 
return false; 
} 
} 
 
public boolean abort() { 
System.out.println("************ Coming in abort() of SimpleLoginModule *************"); 
name = null; 
password = null; 
return true; 
} 
 
public boolean logout() { 
System.out.println("************ Coming in logout() of SimpleLoginModule *************"); 
name = null; 
password = null; 
return true; 
} 
 
} 
My web.xml is as follows: 
 
<?xml version="1.0" encoding="UTF-8"?> 
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> 
<description>JAAS Login Web Application</description> 
<display-name>JAASLogin</display-name> 
<servlet> 
<display-name>login</display-name> 
<servlet-name>login</servlet-name> 
<jsp-file>/login.jsp</jsp-file> 
</servlet> 
<servlet> 
<display-name>dspCred</display-name> 
<servlet-name>dspCred</servlet-name> 
<jsp-file>/dspCred.jsp</jsp-file> 
</servlet> 
<servlet> 
<display-name>configSecurity</display-name> 
<servlet-name>configSecurity</servlet-name> 
<jsp-file>/configSecurity.jsp</jsp-file> 
</servlet> 
<servlet> 
<display-name>loginError</display-name> 
<servlet-name>loginError</servlet-name> 
<jsp-file>/loginError.jsp</jsp-file> 
</servlet> 
 
<servlet> 
<servlet-name>SecureServlet</servlet-name> 
<servlet-class>com.tavant.jaas.jaasloginwar.SampleServlet</servlet-class> 
</servlet> 
 
<servlet-mapping> 
<servlet-name>SecureServlet</servlet-name> 
<url-pattern>/restricted/SecureServlet</url-pattern> 
</servlet-mapping> 
 
 
<security-constraint> 
<web-resource-collection> 
<web-resource-name>Restricted</web-resource-name> 
<description>Declarative security tests</description> 
<url-pattern>/restricted/*</url-pattern> 
<http-method>GET</http-method> 
<http-method>POST</http-method> 
</web-resource-collection> 
<auth-constraint> 
<role-name>admin</role-name> 
</auth-constraint> 
</security-constraint> 
 
<login-config> 
<auth-method>FORM</auth-method> 
<realm-name>WSJAASLogin</realm-name> 
<form-login-config> 
<form-login-page>/login.jsp</form-login-page> 
<form-error-page>/loginError.jsp</form-error-page> 
</form-login-config> 
</login-config> 
 
<security-role><role-name>admin</role-name></security-role> 
</web-app> 
 
Kindly tell me what is going wrong here? And how to grant permissions to the user for accessing a particular resource? What is the diff between rols and group in websphere? 
 
Thank you very much !!!! 
 
~ Shweta

Paul Ilechko

unread,

Mar 4, 2008, 10:24:22 AM3/4/08

to

shwe...@rediffmail.com wrote:

> Kindly tell me what is going wrong here? And how to grant permissions
> to the user for accessing a particular resource? What is the diff
> between rols and group in websphere? 
>

Groups are things that exist in a user registry. Roles are JEE
constructs. All that your login module does is define the group
memberships for the user that is authenticating. Those groups need to be
mapped to the appropriate JEE roles, using the WebSphere tooling (either
ASTK or RAD).

shwe...@rediffmail.com

unread,

Mar 5, 2008, 2:24:09 AM3/5/08

to

I think ASTK means Application Server Tool kit. . is ASTK different from Admin console? For my project we've to read user details and all the roles information from database. So can you tell me how to map this role information, retrieved from Database, with groups in admin console?

Paul Ilechko

unread,

Mar 5, 2008, 8:54:07 AM3/5/08

to

shwe...@rediffmail.com wrote:
> I think ASTK means Application Server Tool kit. . is ASTK different
> from Admin console?

Yes. ASTK is a developer tool, used to package the EAR file that gets
deployed in the console (or by scripts). It builds the deployment
descriptors and the IBM binding files. Some of these settings can be
overridden by the deployer in the admin console.

> For my project we've to read user details and all
> the roles information from database. So can you tell me how to map
> this role information, retrieved from Database, with groups in admin
> console?

The only way to use a database as the WAS user registry would be to
implement the custom user registry interface.

shwe...@rediffmail.com

unread,

Mar 7, 2008, 6:39:54 AM3/7/08

to

Hi Paul, 
Now the authentication and authorization is successful for my user using Custom Login module. But the issue is "Authentication strategy" is set up as "REQUIRED" for my custom login module. I have to make it "SUFFICIENT". But if I try to make it "SUFFICIENT", authentication is failing AND I am getting following error in System.Out.log : 
FormLoginExte E SECJ0118E: Authentication error during authentication for user sysuser 
 
and following exception in <logs>/ffdc/ log file: 
java.lang.NullPointerException com.ibm.ws.security.auth.ContextManagerImpl.processSubjectForPropagationAfterLogin 3495 
 
Kindly tell me what is causing this error? 
 
Thanks in advance.

Paul Ilechko

unread,

Mar 7, 2008, 7:51:45 AM3/7/08

to

It's all described in the paper I referenced earlier. If you make your
login module sufficient, the WAS ones will not run, and the Subject will
not be populated. There is no way to build a valid Subject purely in
your own code.