Topic
  • 8 replies
  • Latest Post - ‏2011-03-19T11:40:21Z by Moonwalker_n
SystemAdmin
SystemAdmin
37421 Posts

Pinned topic JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFailed

‏2008-02-29T07:22:53Z |
Hi,

I am using WAS 6.1. I have created a custom login module and placed it in <WAS root>/lib/ext. I've configured my customlogin module in bot JAAS application logins and system logins. in System Logins I've added the customLoginModule in default, WEB_INBOUND, and RMI_INBOUND and mark it REQUIRED. after doing all this I m getting exception :
com.ibm.websphere.wim.exception.PasswordCheckFailedException:CWWIM4537E No principal is found from the '<user name>' principal name.

Then on the following link I found that it is a bug in websphere and they have released a fix pack for this. but unfortunately APAR PK46513 does not resolve the issue of User registry check during authentication for custom login modules.

http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PK46513

even after applying fix pak 6.1.0.13 I m getting the same error. Kindly help me.
Updated on 2011-03-19T11:40:21Z at 2011-03-19T11:40:21Z by Moonwalker_n
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFailed

    ‏2008-02-29T13:00:23Z  
    shwetag_3@rediffmail.com wrote:
    Hi,

    I am using WAS 6.1. I have created a custom login module and placed it in <WAS root>/lib/ext. I've configured my customlogin module in bot JAAS application logins and system logins. in System Logins I've added the customLoginModule in default, WEB_INBOUND, and RMI_INBOUND and mark it REQUIRED. after doing all this I m getting exception :
    com.ibm.websphere.wim.exception.PasswordCheckFailedException:CWWIM4537E No principal is found from the '<user name>' principal name.

    Then on the following link I found that it is a bug in websphere and they have released a fix pack for this. but unfortunately APAR PK46513 does not resolve the issue of User registry check during authentication for custom login modules.

    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PK46513

    even after applying fix pak 6.1.0.13 I m getting the same error. Kindly help me.
    I suggest that you start by reading this paper:

    http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFa

    ‏2008-03-04T07:42:24Z  
    shwetag_3@rediffmail.com wrote:
    Hi,

    I am using WAS 6.1. I have created a custom login module and placed it in <WAS root>/lib/ext. I've configured my customlogin module in bot JAAS application logins and system logins. in System Logins I've added the customLoginModule in default, WEB_INBOUND, and RMI_INBOUND and mark it REQUIRED. after doing all this I m getting exception :
    com.ibm.websphere.wim.exception.PasswordCheckFailedException:CWWIM4537E No principal is found from the '<user name>' principal name.

    Then on the following link I found that it is a bug in websphere and they have released a fix pack for this. but unfortunately APAR PK46513 does not resolve the issue of User registry check during authentication for custom login modules.

    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PK46513

    even after applying fix pak 6.1.0.13 I m getting the same error. Kindly help me.
    I suggest that you start by reading this paper:

    http://www.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html
    Thanks Paul for your quick reply. . .
    I am able to authenticate the user using custom login module. But now I m stuck with authorization.I am using FormLogin. . .Once the authentication is successful I get the following error in SystemOut.log:

    SECJ0129E: Authorization failed for sysadmin while invoking GET on default_host:/webSecurity/restricted/SecureServlet, Authorization failed, Not granted any of the required roles: admin

    I am posting my LoginModule code here. . .

    public class SimpleLoginModule implements LoginModule {

    private Subject subject;
    private CallbackHandler callbackHandler;
    private String name;
    private String password;
    InitialContext ctx;
    UserRegistry reg;
    ArrayList<String> groups;
    String uniqueid ;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    }

    public boolean login() throws LoginException {
    System.out.println("*************** Coming in login()of SimpleLoginModule ***************");
    // Each callback is responsible for collecting a credential
    // needed to authenticate the user.
    NameCallback nameCB = new NameCallback("Username");
    PasswordCallback passwordCB = new PasswordCallback("Password",false);
    Callback] callbacks = new Callback[ { nameCB, passwordCB };
    // Delegate to the provided CallbackHandler to gather the
    // username and password.
    try {
    callbackHandler.handle(callbacks);
    } catch (IOException e) {
    e.printStackTrace();
    LoginException ex = new LoginException(
    "IOException logging in.");
    ex.initCause(e);
    throw ex;
    } catch (UnsupportedCallbackException e) {
    String className = e.getCallback().getClass().getName();
    LoginException ex = new LoginException(className
    + " is not a supported Callback.");
    ex.initCause(e);
    throw ex;
    }

    // Now that the CallbackHandler has gathered the username and password,
    // use them to authenticate the user against the expected passwords.
    name = nameCB.getName();
    if(passwordCB.getPassword()!=null)
    password = String.valueOf(passwordCB.getPassword());

    Hashtable<String, Object> hashtable = new Hashtable<String, Object>();

    groups = new ArrayList<String>();
    // add admin group
    groups.add("sysadmin");
    groups.add("admin");
    groups.add("Administrator");
    groups.add("sysuser");

    if ("sysadmin".equals(name) && "password".equals(password)) {
    // login in sysadmin
    Principal p = new SysAdminPrincipal(name);

    subject.getPrincipals().add(p);
    // stash in hashtable
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_PRIMARYGROUPID,"admin");
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,name+"MyCustom");

    subject.getPublicCredentials().add(hashtable);
    return true;
    } else if ("sysuser".equals(name) && "password".equals(password)) {
    Principal p = new UserPrincipal(name);
    // login user
    subject.getPrincipals().add(p);
    // stash in hashtable
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,name+"MyCustom");

    subject.getPublicCredentials().add(hashtable);
    return true;
    } else {
    return false;
    }
    }

    public boolean commit() {
    System.out.println("************ Coming in Commit() of SimpleLoginModule *************");
    // If this method is called, the user successfully authenticated, and
    // we can add the appropriate Principles to the Subject.
    if ("sysadmin".equals(name)) {
    password = null;
    return true;
    } else if ("sysuser".equals(name)) {
    password = null;
    return true;
    } else {
    return false;
    }
    }

    public boolean abort() {
    System.out.println("************ Coming in abort() of SimpleLoginModule *************");
    name = null;
    password = null;
    return true;
    }

    public boolean logout() {
    System.out.println("************ Coming in logout() of SimpleLoginModule *************");
    name = null;
    password = null;
    return true;
    }

    }
    My web.xml is as follows:

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
    <description>JAAS Login Web Application</description>
    <display-name>JAASLogin</display-name>
    <servlet>
    <display-name>login</display-name>
    <servlet-name>login</servlet-name>
    <jsp-file>/login.jsp</jsp-file>
    </servlet>
    <servlet>
    <display-name>dspCred</display-name>
    <servlet-name>dspCred</servlet-name>
    <jsp-file>/dspCred.jsp</jsp-file>
    </servlet>
    <servlet>
    <display-name>configSecurity</display-name>
    <servlet-name>configSecurity</servlet-name>
    <jsp-file>/configSecurity.jsp</jsp-file>
    </servlet>
    <servlet>
    <display-name>loginError</display-name>
    <servlet-name>loginError</servlet-name>
    <jsp-file>/loginError.jsp</jsp-file>
    </servlet>
    <!-- ### Servlets -->
    <servlet>
    <servlet-name>SecureServlet</servlet-name>
    <servlet-class>com.tavant.jaas.jaasloginwar.SampleServlet</servlet-class>
    </servlet>

    <servlet-mapping>
    <servlet-name>SecureServlet</servlet-name>
    <url-pattern>/restricted/SecureServlet</url-pattern>
    </servlet-mapping>

    <!-- ### Security -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Restricted</web-resource-name>
    <description>Declarative security tests</description>
    <url-pattern>/restricted/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>admin</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>WSJAASLogin</realm-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
    </login-config>
    <!-- Security roles used in the application -->
    <security-role><role-name>admin</role-name></security-role>
    </web-app>

    Kindly tell me what is going wrong here? And how to grant permissions to the user for accessing a particular resource? What is the diff between rols and group in websphere?

    Thank you very much !!!!

    ~ Shweta
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFa

    ‏2008-03-04T15:24:22Z  
    Thanks Paul for your quick reply. . .
    I am able to authenticate the user using custom login module. But now I m stuck with authorization.I am using FormLogin. . .Once the authentication is successful I get the following error in SystemOut.log:

    SECJ0129E: Authorization failed for sysadmin while invoking GET on default_host:/webSecurity/restricted/SecureServlet, Authorization failed, Not granted any of the required roles: admin

    I am posting my LoginModule code here. . .

    public class SimpleLoginModule implements LoginModule {

    private Subject subject;
    private CallbackHandler callbackHandler;
    private String name;
    private String password;
    InitialContext ctx;
    UserRegistry reg;
    ArrayList<String> groups;
    String uniqueid ;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
    this.subject = subject;
    this.callbackHandler = callbackHandler;
    }

    public boolean login() throws LoginException {
    System.out.println("*************** Coming in login()of SimpleLoginModule ***************");
    // Each callback is responsible for collecting a credential
    // needed to authenticate the user.
    NameCallback nameCB = new NameCallback("Username");
    PasswordCallback passwordCB = new PasswordCallback("Password",false);
    Callback] callbacks = new Callback[ { nameCB, passwordCB };
    // Delegate to the provided CallbackHandler to gather the
    // username and password.
    try {
    callbackHandler.handle(callbacks);
    } catch (IOException e) {
    e.printStackTrace();
    LoginException ex = new LoginException(
    "IOException logging in.");
    ex.initCause(e);
    throw ex;
    } catch (UnsupportedCallbackException e) {
    String className = e.getCallback().getClass().getName();
    LoginException ex = new LoginException(className
    + " is not a supported Callback.");
    ex.initCause(e);
    throw ex;
    }

    // Now that the CallbackHandler has gathered the username and password,
    // use them to authenticate the user against the expected passwords.
    name = nameCB.getName();
    if(passwordCB.getPassword()!=null)
    password = String.valueOf(passwordCB.getPassword());

    Hashtable<String, Object> hashtable = new Hashtable<String, Object>();

    groups = new ArrayList<String>();
    // add admin group
    groups.add("sysadmin");
    groups.add("admin");
    groups.add("Administrator");
    groups.add("sysuser");

    if ("sysadmin".equals(name) && "password".equals(password)) {
    // login in sysadmin
    Principal p = new SysAdminPrincipal(name);

    subject.getPrincipals().add(p);
    // stash in hashtable
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_PRIMARYGROUPID,"admin");
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,name+"MyCustom");

    subject.getPublicCredentials().add(hashtable);
    return true;
    } else if ("sysuser".equals(name) && "password".equals(password)) {
    Principal p = new UserPrincipal(name);
    // login user
    subject.getPrincipals().add(p);
    // stash in hashtable
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,name);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,name+"MyCustom");

    subject.getPublicCredentials().add(hashtable);
    return true;
    } else {
    return false;
    }
    }

    public boolean commit() {
    System.out.println("************ Coming in Commit() of SimpleLoginModule *************");
    // If this method is called, the user successfully authenticated, and
    // we can add the appropriate Principles to the Subject.
    if ("sysadmin".equals(name)) {
    password = null;
    return true;
    } else if ("sysuser".equals(name)) {
    password = null;
    return true;
    } else {
    return false;
    }
    }

    public boolean abort() {
    System.out.println("************ Coming in abort() of SimpleLoginModule *************");
    name = null;
    password = null;
    return true;
    }

    public boolean logout() {
    System.out.println("************ Coming in logout() of SimpleLoginModule *************");
    name = null;
    password = null;
    return true;
    }

    }
    My web.xml is as follows:

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
    <description>JAAS Login Web Application</description>
    <display-name>JAASLogin</display-name>
    <servlet>
    <display-name>login</display-name>
    <servlet-name>login</servlet-name>
    <jsp-file>/login.jsp</jsp-file>
    </servlet>
    <servlet>
    <display-name>dspCred</display-name>
    <servlet-name>dspCred</servlet-name>
    <jsp-file>/dspCred.jsp</jsp-file>
    </servlet>
    <servlet>
    <display-name>configSecurity</display-name>
    <servlet-name>configSecurity</servlet-name>
    <jsp-file>/configSecurity.jsp</jsp-file>
    </servlet>
    <servlet>
    <display-name>loginError</display-name>
    <servlet-name>loginError</servlet-name>
    <jsp-file>/loginError.jsp</jsp-file>
    </servlet>
    <!-- ### Servlets -->
    <servlet>
    <servlet-name>SecureServlet</servlet-name>
    <servlet-class>com.tavant.jaas.jaasloginwar.SampleServlet</servlet-class>
    </servlet>

    <servlet-mapping>
    <servlet-name>SecureServlet</servlet-name>
    <url-pattern>/restricted/SecureServlet</url-pattern>
    </servlet-mapping>

    <!-- ### Security -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Restricted</web-resource-name>
    <description>Declarative security tests</description>
    <url-pattern>/restricted/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>admin</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>WSJAASLogin</realm-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
    </login-config>
    <!-- Security roles used in the application -->
    <security-role><role-name>admin</role-name></security-role>
    </web-app>

    Kindly tell me what is going wrong here? And how to grant permissions to the user for accessing a particular resource? What is the diff between rols and group in websphere?

    Thank you very much !!!!

    ~ Shweta
    shwetag_3@rediffmail.com wrote:

    Kindly tell me what is going wrong here? And how to grant permissions
    to the user for accessing a particular resource? What is the diff
    between rols and group in websphere?

    Groups are things that exist in a user registry. Roles are JEE
    constructs. All that your login module does is define the group
    memberships for the user that is authenticating. Those groups need to be
    mapped to the appropriate JEE roles, using the WebSphere tooling (either
    ASTK or RAD).
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFa

    ‏2008-03-05T07:24:09Z  
    shwetag_3@rediffmail.com wrote:

    Kindly tell me what is going wrong here? And how to grant permissions
    to the user for accessing a particular resource? What is the diff
    between rols and group in websphere?

    Groups are things that exist in a user registry. Roles are JEE
    constructs. All that your login module does is define the group
    memberships for the user that is authenticating. Those groups need to be
    mapped to the appropriate JEE roles, using the WebSphere tooling (either
    ASTK or RAD).
    I think ASTK means Application Server Tool kit. . is ASTK different from Admin console? For my project we've to read user details and all the roles information from database. So can you tell me how to map this role information, retrieved from Database, with groups in admin console?
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFa

    ‏2008-03-05T13:54:07Z  
    I think ASTK means Application Server Tool kit. . is ASTK different from Admin console? For my project we've to read user details and all the roles information from database. So can you tell me how to map this role information, retrieved from Database, with groups in admin console?
    shwetag_3@rediffmail.com wrote:
    I think ASTK means Application Server Tool kit. . is ASTK different
    from Admin console?

    Yes. ASTK is a developer tool, used to package the EAR file that gets
    deployed in the console (or by scripts). It builds the deployment
    descriptors and the IBM binding files. Some of these settings can be
    overridden by the deployer in the admin console.
    For my project we've to read user details and all
    the roles information from database. So can you tell me how to map
    this role information, retrieved from Database, with groups in admin
    console?

    The only way to use a database as the WAS user registry would be to
    implement the custom user registry interface.
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFa

    ‏2008-03-07T11:39:54Z  
    shwetag_3@rediffmail.com wrote:
    I think ASTK means Application Server Tool kit. . is ASTK different
    from Admin console?

    Yes. ASTK is a developer tool, used to package the EAR file that gets
    deployed in the console (or by scripts). It builds the deployment
    descriptors and the IBM binding files. Some of these settings can be
    overridden by the deployer in the admin console.
    For my project we've to read user details and all
    the roles information from database. So can you tell me how to map
    this role information, retrieved from Database, with groups in admin
    console?

    The only way to use a database as the WAS user registry would be to
    implement the custom user registry interface.
    Hi Paul,
    Now the authentication and authorization is successful for my user using Custom Login module. But the issue is "Authentication strategy" is set up as "REQUIRED" for my custom login module. I have to make it "SUFFICIENT". But if I try to make it "SUFFICIENT", authentication is failing AND I am getting following error in System.Out.log :
    FormLoginExte E SECJ0118E: Authentication error during authentication for user sysuser

    and following exception in <logs>/ffdc/ log file:
    java.lang.NullPointerException com.ibm.ws.security.auth.ContextManagerImpl.processSubjectForPropagationAfterLogin 3495

    Kindly tell me what is causing this error?

    Thanks in advance.
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFa

    ‏2008-03-07T12:51:45Z  
    Hi Paul,
    Now the authentication and authorization is successful for my user using Custom Login module. But the issue is "Authentication strategy" is set up as "REQUIRED" for my custom login module. I have to make it "SUFFICIENT". But if I try to make it "SUFFICIENT", authentication is failing AND I am getting following error in System.Out.log :
    FormLoginExte E SECJ0118E: Authentication error during authentication for user sysuser

    and following exception in <logs>/ffdc/ log file:
    java.lang.NullPointerException com.ibm.ws.security.auth.ContextManagerImpl.processSubjectForPropagationAfterLogin 3495

    Kindly tell me what is causing this error?

    Thanks in advance.
    shwetag_3@rediffmail.com wrote:
    Hi Paul,
    Now the authentication and authorization is successful for my user using Custom Login module. But the issue is "Authentication strategy" is set up as "REQUIRED" for my custom login module. I have to make it "SUFFICIENT". But if I try to make it "SUFFICIENT", authentication is failing AND I am getting following error in System.Out.log :
    FormLoginExte E SECJ0118E: Authentication error during authentication for user sysuser

    and following exception in <logs>/ffdc/ log file:
    java.lang.NullPointerException com.ibm.ws.security.auth.ContextManagerImpl.processSubjectForPropagationAfterLogin 3495

    Kindly tell me what is causing this error?

    Thanks in advance.

    It's all described in the paper I referenced earlier. If you make your
    login module sufficient, the WAS ones will not run, and the Subject will
    not be populated. There is no way to build a valid Subject purely in
    your own code.
  • Moonwalker_n
    Moonwalker_n
    3 Posts

    Re: JAAS CustomLogin module:com.ibm.websphere.wim.exception.PasswordCheckFailed

    ‏2011-03-19T11:40:21Z  
    I have encountred the this exception
    com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the 'EXT<Tksmau12ADqL}
    ZMiACELeZxfZ2hHXtYzxQaVpEv0;appId=CM;>' principal name.

    The cause is JAAS is not able to login to EJB interface using WSLogin context configuration as the defaultrealam is not able to login using WSLogin. WAS uses the property Use_appcontext_callback, User_relam_callback to enable JASS to login using WSLogin context and for that these property need to set as true.

    1. Use_appcontext_callback = true
    2. User_relam_callback = true

    The property can be found in this location :- Secure administration, applications, and infrastructure > JAAS - Application logins > WSLogin > JAAS login modules > com.ibm.ws.security.common.auth.module.WSLoginModuleImpl > Custom properties

    Once this property is set the server need to restarted for enabling.

    Note:- The programtically login to EJB, need to be followed.
    // login block
    CallbackHandler loginHandler = new WSCallbackHandlerImpl("uid", "pwd");
    LoginContext lc = new LoginContext("WSLogin", loginHandler);
    lc.login();
    Subject subject = lc.getSubject();