Well, Derek, It seems the solution to your problem would be to learn and implement a Local interface to the CompanyHandlerBean. That would make it next to impossible for anything outside to be able to call it. It would only be accessible from within the same JVM. Now, other ways to secure the bean would be to firewall the machine and not allow access to the RMI lookup ports... but really, I think the best solution is to simply not implement a remote interface if you don't need one.
It'll improve performance a little too, although local access to RMI classes can be set up to perform like local interfaces too. If you're talking about restricting access to your registercompany.jsp page, you'll have to go through the steps outlined in the other messages in this thread to put the .jsp page under a security-constraint, set up users and roles for your application, set up a login-config and a security domain, and protect that .jsp from access by anyone other than users with the declared roles you establish. Declarative security. If you want help with that after you've gone through the steps, I'd be happy to expound more on it. Cheers. -Neal On Sunday 27 October 2002 03:43 pm, Derek Lin wrote: > I don't know what I am going to ask fits with this thread well. > But my question is: > > Say I have to a bean, name CompanyHandlerBean. I want only my web > (Tomcat or Jetty) to be able to call the methods (say > registerCompany) in this bean. Now there is not log in > process.--Any user can go to my registercompay.jsp page. How do I > set up the security that only my web application can access my > CompanyHandlerBean? > > Bascially, I don't want anyone who knows my ip and the name of the > bean to call it from anywhere. > > Any help or pointers will be greatly appreciated. > > Thanks, > > Derek > ----- Original Message ----- > From: "Neal Sanche" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; "John Snyder" > <[EMAIL PROTECTED]> Sent: Sunday, October 27, 2002 10:58 AM > Subject: Re: [JBoss-user] DatabaseServerLoginModule - failing > authentication? > > > On Sunday 27 October 2002 12:26 pm, John Snyder wrote: > > > Hello all, > > > I am trying to use the DatabaseServerLoginModule with > > > jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying > > > to do at this point is to secure a JSP page called Office.jsp. > > > > > > When I try to go to the JSP page, the login page comes up, as > > > expected based on the web.xml configuration. When I fill in the > > > username and password (for j_username and j_password), then > > > click the submit button (action="j_security_check"), the JBoss > > > console displays, "Added PC_CloudscapeDbRealm, > > > org.jboss.security.plugins.SecurityDomainContext@a631cc to > > > map", which I believe is telling me that JBoss is applying the > > > PC_CloudscapeDbRealm security realm, which is what I want. > > > > > > My problem is twofold: > > > > > > First, I am not authenticated when I log in with a > > > username/password combination that should pass authentication > > > (the combination is in my security table). > > > > Well, here's some information from an application that I've been > > writing that seems to work just fine. In my web.xml I've > > specified a security constraint that looks like this: > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name> > > <web-resource-name>AdminApp</web-resource-name> > > <url-pattern>/admin/*</url-pattern> > > <http-method>POST</http-method> > > <http-method>GET</http-method> > > </web-resource-collection> > > > > <auth-contraint> > > <role-name>admin</role-name> > > </auth-constraint> > > </security-constraint> > > > > So notice that I've specified some <http-method> blocks. I don't > > think it would make a difference, but you could try it (I don't > > know of defaults). > > > > Also, my experience has been that if a page isn't protected with > > a security constraint in an application, then the security > > credentials won't be available to that page. I suppose it makes > > sense, but it was unexpected behaviour to me. But that's probably > > not your problem either. > > > > Now, my login-config in web.xml looks like this: > > > > <login-config> > > <auth-method>FORM</auth-method> > > <realm-name>Playground</realm-name> > > <form-login-config> > > <form-login-page>/login.jsp</form-login-page> > > <form-error-page>/loginError.jsp</form-error-page> > > </form-login-config> > > </login-config> > > > > Again, yours is identical, modulo page and realm differences. So > > that's not your problem either. > > > > In my jboss-web.xml file, I have something like this: > > > > <jboss-web> > > <security-domain>java:/jaas/PLAYGROUND</security-domain> > > ... > > </jboss-web> > > > > Again, I think you're good. Now, in my login-config.xml file, > > I've done things a little differently. I am using MySQL, and have > > set up a MySqlDbRealm application-policy similar to your > > CloudscapeDbRealm. My PLAYGROUND application-policy is similar to > > yours, but it doesn't contain a managedConnectionFactoryName > > option, and the flag is 'sufficient' in mine, instead of > > required. > > > > <application-policy name="PLAYGROUND"> > > <authentication> > > <login-module > > code="org.jboss.security.auth.spi.DatabaseServerLoginModule" > > flag="sufficient"> > > <module-option > > name="dsJndiName">java:/MySqlDS</module-option> <module-option > > name="principalsQuery">SELECT Password FROM USERBASE_PRINCIPALS > > where PrincipalID=?</module-option> > > <module-option name="rolesQuery">SELECT Role, RoleGroup FROM > > USERBASE_ROLES where PrincipalID=?</module-option> > > <module-option > > name="unauthenticatedIdentity">guest</module-option> > > </login-module> > > </authentication> > > </application-policy> > > > > Here the unauthenticatedIdentity doesn't seem to have any effect, > > I just put it there to see if it would. > > > > I assume you've tested the SQL statements and they all work for > > you. I can't see any major places that you may have made a > > mistake. > > > > > Second, if authentication fails, I should be redirected to the > > > failed login page specified in my web.xml file, but I am not -- > > > instead, the web browser just displays a Status 403 page, > > > saying, "message Access to the requested resource has been > > > denied" and "description Access to the specified resource > > > (Access to the requested resource has been denied) has been > > > forbidden." Can anyone please explain this behavior, and more > > > importantly, how to fix it? The relevant configuration files > > > are as follows (in relevant part): > > > > Well, I was getting this as well, and what you can do about it is > > add a section to your web.xml file like the following: > > > > <error-page> > > <error-code>403</error-code> > > <location>/authorizationError.jsp</location> > > </error-page> > > > > The only time I've been able to see the page specified by > > <form-error-page> is if the Roles for a user are not sufficient. > > If the username and password are incorrect, you'll get a 403 > > instead. > > > > I hope some of this helps you. > > > > Cheers. > > > > -Neal > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: ApacheCon, November 18-21 in > > Las Vegas (supported by COMDEX), the only Apache event to be > > fully supported by the ASF. http://www.apachecon.com > > _______________________________________________ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > ------------------------------------------------------- > This SF.net email is sponsored by: ApacheCon, November 18-21 in > Las Vegas (supported by COMDEX), the only Apache event to be > fully supported by the ASF. http://www.apachecon.com > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
