After migration of our web application with spring-security 3.1.4 from JBoss 4 we got the following warning and could not login. Other web application without spring-security worked with the JBoss security config from standard.xml
Logging:
21:39:09,921 WARN [org.jboss.security] (ServerService Thread Pool -- 43) PBOX000231: End loadConfig, failed to load config: file:/D:/tools/appserver/jboss-eap-6.1/bin/login-config.xml: java.io.FileNotFoundException: D:\tools\appserver\jboss-eap-6.1\bin\login-config.xml (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method) [rt.jar:1.7.0_25]
at java.io.FileInputStream.<init>(FileInputStream.java:138) [rt.jar:1.7.0_25]
at java.io.FileInputStream.<init>(FileInputStream.java:97) [rt.jar:1.7.0_25]
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90) [rt.jar:1.7.0_25]
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188) [rt.jar:1.7.0_25]
at java.net.URL.openStream(URL.java:1037) [rt.jar:1.7.0_25]
at org.jboss.security.auth.login.XMLLoginConfigImpl.loadSunConfig(XMLLoginConfigImpl.java:416) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.login.XMLLoginConfigImpl.loadConfig(XMLLoginConfigImpl.java:384) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.login.XMLLoginConfigImpl.loadConfig(XMLLoginConfigImpl.java:360) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.login.XMLLoginConfigImpl.refresh(XMLLoginConfigImpl.java:113) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.springframework.security.authentication.jaas.JaasAuthenticationProvider.configureJaas(JaasAuthenticationProvider.java:159) [spring-security-core-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.authentication.jaas.JaasAuthenticationProvider.afterPropertiesSet(JaasAuthenticationProvider.java:132) [spring-security-core-3.1.4.RELEASE.jar:3.1.4.RELEASE]
One solution is to add a login-config.xml and set the system-property as in https://community.jboss.org/thread/213122
standalone.xml
<property name="java.security.auth.login.config" value="${jboss.server.config.dir}/login-config.xml"/>
Create a login-config.xml with you're config (duplicated from standalone.xml)... That's not the solution we want. We want to configure the security only in standalone.xml
After I read the source code of JaasAuthenticationProvider : http://grepcode.com/file/repo1.maven.org/maven2/org.springframework.security/spring-security-core/3.1.4.RELEASE/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java#JaasAuthenticationProvider.0refreshConfigurationOnStartup
*The solution* https://jira.springsource.org/browse/SEC-1320
refreshConfigurationOnStartup could be disabled:
Change in spring-security.xml refreshConfigurationOnStartup to false:
<beans:bean id="jaasAuthenticationProvider" class="org.springframework.security.authentication.jaas.JaasAuthenticationProvider">
<beans:property name="refreshConfigurationOnStartup" value="false"/>
Now spring-security does not trigger the refresh and you can use the JBoss security config now :-)