Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
RE: RE: Liferay 7.4 JAAS not working - returns to the login screen
Hi,
I successfully upgraded LR 7.1 to 7.4 (latest) but it seems like JAAS stopped working there and I able to login only with portal.jaas.enable=false now.
portal-ext.properties:
portal.jaas.enable=true
portal.jaas.auth.type=screenName
Are there any hidden changes I missed between 7.1 and 7.4?
Thank you
Some details - LR7.4, WildFly 22.0.0.
When JAAS enabled:
"Logon as user1" ---> WAR ---> ejb call ---> EAR bean method. In the EAR bean I have @SessionContext resource and getPrincipal gave me "user1".
"Logon as user2" ---> WAR ---> ejb call ---> EAR bean method. In the EAR bean I have @SessionContext resource and getPrincipal gave me "user2".
But in 7.4 JAAS is deprecated and I have to switch it off and getPrincipal returns "anonymus" for all logged users, which is wrong.
Please help
Hi Alex,
Is it wokring for you? We are also facing the same issue JAAS not working with Liferay 7.4 and tomcat.
Regards,
Fayaj
I had to create own JAAS module (copied from 7.1 sources). Now everything is ok, but left me puzzled why that was removed in 7.4
Hi Alex,
Thanks for the update.
Can you please let me know/any pointers which you followed to create own JAAS module? How to create custom/own JAAS module?
Are you using liferay's login portlet in your application or custom one? Have you added missing classes to Portal-kernel or Portal-impl?
Regards,
Fayaj
Ok, see dummy module I created just to maintain the session credentials
package uk.co.caci.portal.liferay;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author amirren - JAAS implementation to keep EJB context separated for each logged user
*/
public class CaciLoginModule implements LoginModule {
@Override
public boolean abort() {
return true;
}
public boolean preCommit() throws LoginException {
Principal principal = getPrincipal();
if (principal != null) {
Subject subject = getSubject();
Set<Principal> principals = subject.getPrincipals();
principals.add(getPrincipal());
return true;
}
return false;
}
@Override
public boolean commit() throws LoginException {
//_log.info("commit");
boolean commitValue = preCommit();
if (commitValue) {
PortalGroup rolesPortalGroup = new PortalGroup("Roles");
rolesPortalGroup.addMember(new PortalPrincipal("users"));
Subject subject = getSubject();
Set<Principal> principals = subject.getPrincipals();
principals.add(rolesPortalGroup);
PortalGroup callerPrincipalGroup = new PortalGroup(
"CallerPrincipal");
callerPrincipalGroup.addMember(getPrincipal());
principals.add(callerPrincipalGroup);
}
return commitValue;
}
@Override
public void initialize(
Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
//_log.info("initialize");
_subject = subject;
_callbackHandler = callbackHandler;
}
@Override
public boolean login() throws LoginException {
String[] credentials = null;
//_log.info("login");
try {
credentials = authenticate();
} catch (Exception e) {
_log.error(e.getMessage());
throw new LoginException();
}
if ((credentials != null) && (credentials.length == 2)) {
setPrincipal(getPortalPrincipal(credentials[0]));
setPassword(credentials[1]);
return true;
}
throw new LoginException();
}
@Override
public boolean logout() {
Subject subject = getSubject();
Set<Principal> principals = subject.getPrincipals();
principals.clear();
return true;
}
// already authenticated in LR hooks - just build a context
protected String[] authenticate()
throws IOException, UnsupportedCallbackException {
//_log.info("authenticate");
NameCallback nameCallback = new NameCallback("name: ");
PasswordCallback passwordCallback = new PasswordCallback(
"password: ", false);
_callbackHandler.handle(
new Callback[]{nameCallback, passwordCallback});
String name = nameCallback.getName();
String password = null;
char[] passwordChar = passwordCallback.getPassword();
if (passwordChar != null) {
password = new String(passwordChar);
}
if (name == null) {
return new String[]{"", ""};
}
//_log.info("simple names");
return new String[]{name, password};
}
protected String getPassword() {
return _password;
}
protected Principal getPortalPrincipal(String name) throws LoginException {
return new PortalPrincipal(name);
}
protected Principal getPrincipal() {
return _principal;
}
protected Subject getSubject() {
return _subject;
}
protected void setPassword(String password) {
_password = password;
}
protected void setPrincipal(Principal principal) {
_principal = principal;
}
private final static Logger _log = LoggerFactory.getLogger(CaciLoginModule.class);
private CallbackHandler _callbackHandler;
private String _password;
private Principal _principal;
private Subject _subject;
}
Then copied generated jar into wildfly server modules folder (no other dependencies required)
Then in the ROOT.war altered jboss-deployment - added reference to the new module.
In the wildfly config replaced outdated module with my
All works. You have to do the similar for Tomcat
Hi Alex,
Thanks for the update. I have created a dummy module with above class also added missing files in dummy module like PortalGroup, PortalPrincipal, PortalRole.
Can you please elaborate more on below your mentioned points
- Then copied generated jar into wildfly server modules folder (no other dependencies required) - Do means to add created jar into tomcat lib folder?
- Then in the ROOT.war altered jboss-deployment - added reference to the new module. - Which file exactly i need to update jboss-deployment-structure file?
- In the wildfly config replaced outdated module with my - Here config file - are you refering to jaas.config file?
Thanking you in advance.
Regards,
Fayaj
1. This is were the module located in WildFly (JBoss). I have no idea about Tomcat, you have to locate the original place in LR 7.1 version.
2. I am not sure about jboss-deployment file here, as you are working with Tomcat and the file might be differen. Try to locate traces in LR 7.1 ROOT.war
My file looks like
<?xml version="1.0"?>
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">
<deployment>
<exclusions>
<module name="org.apache.log4j" />
<module name="org.hibernate" />
<module name="org.slf4j" />
</exclusions>
<dependencies>
<module meta-inf="export" name="uk.co.caci.portal.liferay">
<imports>
<include path="META-INF" />
</imports>
</module>
<module name="javax.mail.api" />
<module name="org.apache.xerces" />
<module name="org.jboss.modules" />
</dependencies>
</deployment>
</jboss-deployment-structure>The part - <module meta-inf="export" name="uk.co.caci.portal.liferay"> is reference to the WildFly modules. Again - might/should be different from tomcat
3. WildFly config file contains <login-module code="uk.co.caci.portal.liferay.CaciLoginModule" flag="required"/> reference. Again, different from tomcat.
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="PortalRealm">
<authentication>
<login-module code="uk.co.caci.portal.liferay.CaciLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
Ok, your new .jar should land to<tomcat>\lib\ext\ folder.
Then, in ROOT resin-web.xml - replace login-module class with your custom
<web-app xmlns="http://caucho.com/ns/resin">
<authenticator type="com.caucho.server.security.JaasAuthenticator">
<init>
<login-module>com.liferay.portal.security.jaas.PortalLoginModule</login-module>
<password-digest>none</password-digest>
</init>
</authenticator>
</web-app>
and make sure portal-ext.properties file have jaas enabled
portal.jaas.enable=true
portal.jaas.auth.type=userId
Powered by Liferay™