Debugging security issues on JBoss


When debugging security realm issues on JBoss EAP 6.2, I find it useful to turn on debugging on the following components:

Here's the corresponding configuration fragments for standalone.xml:

<logger category="org.jboss.security">
    <level name="DEBUG"/>
</logger>
<logger category="org.apache.catalina.realm">
    <level name="DEBUG"/>
</logger>
<logger category="org.apache.catalina.authenticator">
  <level name="DEBUG"/>
</logger>

Here's an example output from an HTTP HEAD request of a user who only has the "write" role, but "read" is required on the particular resource: On the client, I did:

$ curl -I -u john:<pass> http://localhost:8080/moccasin-webapp-1.0/

And my server.log now contained these useful messages:

14:04:32,004 DEBUG [org.apache.catalina.authenticator] (http-localhost.localdomain/127.0.0.1:8080-1) Security checking request HEAD /moccasin-webapp-1.0/
14:04:32,004 DEBUG [org.apache.catalina.realm] (http-localhost.localdomain/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[All resources]' against HEAD /index.xhtml --> true
14:04:32,004 DEBUG [org.apache.catalina.realm] (http-localhost.localdomain/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[All resources]' against HEAD /index.xhtml --> true
14:04:32,004 DEBUG [org.apache.catalina.authenticator] (http-localhost.localdomain/127.0.0.1:8080-1)  Calling hasUserDataPermission()
14:04:32,004 DEBUG [org.apache.catalina.realm] (http-localhost.localdomain/127.0.0.1:8080-1)   User data constraint has no restrictions
14:04:32,004 DEBUG [org.apache.catalina.authenticator] (http-localhost.localdomain/127.0.0.1:8080-1)  Calling authenticate()
14:04:32,037 DEBUG [org.apache.catalina.authenticator] (http-localhost.localdomain/127.0.0.1:8080-1) Authenticated 'john' with type 'BASIC'
14:04:32,037 DEBUG [org.apache.catalina.authenticator] (http-localhost.localdomain/127.0.0.1:8080-1)  Calling accessControl()
14:04:32,037 DEBUG [org.apache.catalina.realm] (http-localhost.localdomain/127.0.0.1:8080-1)   Checking roles GenericPrincipal[john(write,)]
14:04:32,043 DEBUG [org.apache.catalina.realm] (http-localhost.localdomain/127.0.0.1:8080-1) JBWEB000016: User [john] does not have role [read]
14:04:32,043 DEBUG [org.apache.catalina.realm] (http-localhost.localdomain/127.0.0.1:8080-1) No role found:  read
14:04:32,043 DEBUG [org.apache.catalina.authenticator] (http-localhost.localdomain/127.0.0.1:8080-1)  Failed accessControl() test

Licensed under CC BY Creative Commons License ~ ✉ torstein.k.johansen @ gmail ~ 🐘 @skybert@hachyderm.io ~ 🐦 @torsteinkrause