Wednesday, September 25, 2013

JBoss 7 AS / JBoss 6 EAP spring-security triggers login-config.xml fix


After migration of our web application with spring-security 3.1.4 from JBoss 4 we got the following warning and could not login. Other web application without spring-security worked with the JBoss security config from standard.xml

Logging:
21:39:09,921 WARN [org.jboss.security] (ServerService Thread Pool -- 43) PBOX000231: End loadConfig, failed to load config: file:/D:/tools/appserver/jboss-eap-6.1/bin/login-config.xml: java.io.FileNotFoundException: D:\tools\appserver\jboss-eap-6.1\bin\login-config.xml (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method) [rt.jar:1.7.0_25]
at java.io.FileInputStream.<init>(FileInputStream.java:138) [rt.jar:1.7.0_25]
at java.io.FileInputStream.<init>(FileInputStream.java:97) [rt.jar:1.7.0_25]
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90) [rt.jar:1.7.0_25]
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188) [rt.jar:1.7.0_25]
at java.net.URL.openStream(URL.java:1037) [rt.jar:1.7.0_25]
at org.jboss.security.auth.login.XMLLoginConfigImpl.loadSunConfig(XMLLoginConfigImpl.java:416) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.login.XMLLoginConfigImpl.loadConfig(XMLLoginConfigImpl.java:384) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.login.XMLLoginConfigImpl.loadConfig(XMLLoginConfigImpl.java:360) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.login.XMLLoginConfigImpl.refresh(XMLLoginConfigImpl.java:113) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.springframework.security.authentication.jaas.JaasAuthenticationProvider.configureJaas(JaasAuthenticationProvider.java:159) [spring-security-core-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.authentication.jaas.JaasAuthenticationProvider.afterPropertiesSet(JaasAuthenticationProvider.java:132) [spring-security-core-3.1.4.RELEASE.jar:3.1.4.RELEASE]


One solution is to add a login-config.xml and set the system-property as in  https://community.jboss.org/thread/213122
standalone.xml
<property name="java.security.auth.login.config" value="${jboss.server.config.dir}/login-config.xml"/>

Create a login-config.xml with you're config (duplicated from standalone.xml)... That's not the solution we want. We want to configure the security only in standalone.xml

After investigation the source XMLLoginConfigImpl I discovered a refresh is triggered and the JBoss security config from standalone.xml is removed.
After I read the source code of JaasAuthenticationProvider : http://grepcode.com/file/repo1.maven.org/maven2/org.springframework.security/spring-security-core/3.1.4.RELEASE/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java#JaasAuthenticationProvider.0refreshConfigurationOnStartup

*The solution* https://jira.springsource.org/browse/SEC-1320
refreshConfigurationOnStartup could be disabled:

Change in spring-security.xml refreshConfigurationOnStartup to false:
<beans:bean id="jaasAuthenticationProvider" class="org.springframework.security.authentication.jaas.JaasAuthenticationProvider">
<beans:property name="refreshConfigurationOnStartup" value="false"/>

Now spring-security does not trigger the refresh and you can use the JBoss security config now :-)

2 comments:

  1. Nice, but how do you configure to use the standalone.xml in the XMLLoginConfigImpl? Or is it done automatically? Can you post the whole declartion of your jaasAuthenticationProvider-Bean?

    Thanks
    Fabian

    ReplyDelete
  2. The jaas config in the JBoss standalone.xml is configured automatically by JBoss. I don't have the jaasAuthenticationProvider-Bean declaration by hand, see http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#jaas

    ReplyDelete