0 Replies Latest reply: Mar 13, 2012 6:22 AM by mattdarwin RSS

java.lang.SecurityException: Unauthenticated caller:null when encrypting datasource passwords in AS 5.0.1GA

mattdarwin Newbie

I'm trying to encrypt my database password using a JBOSS security domain.  I've followed the instructions in the documentation and it all seems pretty simple.  I'm using jboss 5.0.1GA.  It was working fine before I tried to set up password encryption.

 

The datasource is defined in oracle-ds.xml as follows:

 

<datasources>
 
<local-tx-datasource>
   
<jndi-name>OracleDS</jndi-name>
   
<connection-url>jdbc:oracle:thin:@dbhost:1521:db</connection-url>
   
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
   
<!-- app works fine when you use unencrypted password like this
    <user-name>username</user-name>
    <password>unencrypted_pass</password>
    -->

   
<!-- Use the security domain defined in conf/login-config.xml for username and encrypted password-->
   
<security-domain>Encrypt-my-Password</security-domain>
....etc

 

The login-config.xml file contains this entry:

   <application-policy name="Encrypt-my-Password">
               
<authentication>
                   
<login-module
                           
code="
org.jboss.resource.security.SecureIdentityLoginModule"
                           
flag="required">
                           
<module-option name="username">databaseUsername</module-option>
                           
<module-option name="password">232487h4873hf4</module-option>
                           
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
                   
</login-module>
           
</authentication>
   
</application-policy>

 

As soon as I started using this config the application throws an exception as follows when you try to access the datasource:

java.lang.SecurityException: Unauthenticated caller:null
    org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)
    org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
    org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
    org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
    org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)
    org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:92)
    org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:111)
    org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101)
    org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325)
    org.hibernate.cfg.AnnotationConfiguration.buildSessionFactory(AnnotationConfiguration.java:867)
    org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:669)
    org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)
    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:52)
    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:34)
    com.mycompany.er.batch.data.DbHelper.createEntityManager(DbHelper.java:30)
    com.mycompany.er.batch.data.DbHelper.createAndBegin(DbHelper.java:49)
    com.mycompany.er.basman.HibernateTransactionFilter.doFilter(HibernateTransactionFilter.java:53)
    org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

I'm trying to encrypt my database password using a JBOSS security domain.

The datasource is defined in oracle-ds.xml as follows:

<datasources>
 
<local-tx-datasource>
   
<jndi-name>OracleDS</jndi-name>
   
<connection-url>jdbc:oracle:thin:@dbhost:1521:db</connection-url>
   
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
   
<!-- app works fine when you use unencrypted password like this
    <user-name>username</user-name>
    <password>unencrypted_pass</password>
    -->

   
<!-- Use the security domain defined in conf/login-config.xml for username and encrypted password-->
   
<security-domain>Encrypt-my-Password</security-domain>
....etc

The login-config.xml file contains this entry:

   <application-policy name="Encrypt-my-Password">
               
<authentication>
                   
<login-module
                           
code="com.mycompany.global.er.util.ErSecureIdentityLoginModule"
                           
flag="required">
                           
<module-option name="username">databaseUsername</module-option>
                           
<module-option name="password">232487h4873hf4</module-option>
                           
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
                   
</login-module>
           
</authentication>
   
</application-policy>

NB the ErSecureIdentityLoginModule is a class already used to encrypt / decrypt DB passwords in another application, where it works fine.

As soon as I started using this config the application throws an exception as follows when you try to access the datasource:

java.lang.SecurityException: Unauthenticated caller:null
    org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)
    org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
    org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
    org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
    org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)
    org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:92)
    org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:111)
    org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101)
    org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325)
    org.hibernate.cfg.AnnotationConfiguration.buildSessionFactory(AnnotationConfiguration.java:867)
    org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:669)
    org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)
    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:52)
    javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:34)
    com.mycompany.er.batch.data.DbHelper.createEntityManager(DbHelper.java:30)
    com.mycompany.er.batch.data.DbHelper.createAndBegin(DbHelper.java:49)
    com.mycompany.er.basman.HibernateTransactionFilter.doFilter(HibernateTransactionFilter.java:53)
    org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

I downloaded the source code for jboss 5.0.1GA and debugged with TRACE enabled.  There is an interesting stack trace produced:

2012-03-12 18-13-40:Login failure
javax.security.auth.login.LoginException: java.lang.NullPointerException
        at org.jboss.resource.security.SubjectActions$AddPrincipalsAction.run(SubjectActions.java:101)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.jboss.resource.security.SubjectActions.addPrincipals(SubjectActions.java:139)
        at org.jboss.resource.security.ConfiguredIdentityLoginModule.login(ConfiguredIdentityLoginModule.java:98)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
        at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
        at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
        at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
        at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:90)

The NullPointerException refers to this line of code in org.jboss.resource.security.SubjectActions:


      static class AddPrincipalsAction implements PrivilegedAction
       {
          Subject subject;
          Principal p;
          AddPrincipalsAction(Subject subject, Principal p)
          {
             this.subject = subject;
             this.p = p;
          }
          public Object run()
          {
             subject.getPrincipals().add(p);
             return null;
          }
       }

However this doesn't help much, and I can't understand what I'm doing wrong. Help!