Re: [JBoss-user] DatabaseServerLoginModule - failing authentication?
On Sunday 27 October 2002 12:26 pm, John Snyder wrote: Hello all, I am trying to use the DatabaseServerLoginModule with jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do at this point is to secure a JSP page called Office.jsp. When I try to go to the JSP page, the login page comes up, as expected based on the web.xml configuration. When I fill in the username and password (for j_username and j_password), then click the submit button (action=j_security_check), the JBoss console displays, Added PC_CloudscapeDbRealm, org.jboss.security.plugins.SecurityDomainContext@a631cc to map, which I believe is telling me that JBoss is applying the PC_CloudscapeDbRealm security realm, which is what I want. My problem is twofold: First, I am not authenticated when I log in with a username/password combination that should pass authentication (the combination is in my security table). Well, here's some information from an application that I've been writing that seems to work just fine. In my web.xml I've specified a security constraint that looks like this: security-constraint web-resource-collection web-resource-name web-resource-nameAdminApp/web-resource-name url-pattern/admin/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-contraint role-nameadmin/role-name /auth-constraint /security-constraint So notice that I've specified some http-method blocks. I don't think it would make a difference, but you could try it (I don't know of defaults). Also, my experience has been that if a page isn't protected with a security constraint in an application, then the security credentials won't be available to that page. I suppose it makes sense, but it was unexpected behaviour to me. But that's probably not your problem either. Now, my login-config in web.xml looks like this: login-config auth-methodFORM/auth-method realm-namePlayground/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config Again, yours is identical, modulo page and realm differences. So that's not your problem either. In my jboss-web.xml file, I have something like this: jboss-web security-domainjava:/jaas/PLAYGROUND/security-domain ... /jboss-web Again, I think you're good. Now, in my login-config.xml file, I've done things a little differently. I am using MySQL, and have set up a MySqlDbRealm application-policy similar to your CloudscapeDbRealm. My PLAYGROUND application-policy is similar to yours, but it doesn't contain a managedConnectionFactoryName option, and the flag is 'sufficient' in mine, instead of required. application-policy name=PLAYGROUND authentication login-module code=org.jboss.security.auth.spi.DatabaseServerLoginModule flag=sufficient module-option name=dsJndiNamejava:/MySqlDS/module-option module-option name=principalsQuerySELECT Password FROM USERBASE_PRINCIPALS where PrincipalID=?/module-option module-option name=rolesQuerySELECT Role, RoleGroup FROM USERBASE_ROLES where PrincipalID=?/module-option module-option name=unauthenticatedIdentityguest/module-option /login-module /authentication /application-policy Here the unauthenticatedIdentity doesn't seem to have any effect, I just put it there to see if it would. I assume you've tested the SQL statements and they all work for you. I can't see any major places that you may have made a mistake. Second, if authentication fails, I should be redirected to the failed login page specified in my web.xml file, but I am not -- instead, the web browser just displays a Status 403 page, saying, message Access to the requested resource has been denied and description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Can anyone please explain this behavior, and more importantly, how to fix it? The relevant configuration files are as follows (in relevant part): Well, I was getting this as well, and what you can do about it is add a section to your web.xml file like the following: error-page error-code403/error-code location/authorizationError.jsp/location /error-page The only time I've been able to see the page specified by form-error-page is if the Roles for a user are not sufficient. If the username and password are incorrect, you'll get a 403 instead. I hope some of this helps you. Cheers. -Neal --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com ___ JBoss-user mailing list [EMAIL PROTECTED]
Re: [JBoss-user] DatabaseServerLoginModule - failing authentication?
Well, I was getting this as well, and what you can do about it is add a section to your web.xml file like the following: error-page error-code403/error-code location/authorizationError.jsp/location /error-page The only time I've been able to see the page specified by form-error-page is if the Roles for a user are not sufficient. If the username and password are incorrect, you'll get a 403 instead. Or, the other way around, now that I think about it more. -Neal --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] DatabaseServerLoginModule - failing authentication?
I don't know what I am going to ask fits with this thread well. But my question is: Say I have to a bean, name CompanyHandlerBean. I want only my web (Tomcat or Jetty) to be able to call the methods (say registerCompany) in this bean. Now there is not log in process.--Any user can go to my registercompay.jsp page. How do I set up the security that only my web application can access my CompanyHandlerBean? Bascially, I don't want anyone who knows my ip and the name of the bean to call it from anywhere. Any help or pointers will be greatly appreciated. Thanks, Derek - Original Message - From: Neal Sanche [EMAIL PROTECTED] To: [EMAIL PROTECTED]; John Snyder [EMAIL PROTECTED] Sent: Sunday, October 27, 2002 10:58 AM Subject: Re: [JBoss-user] DatabaseServerLoginModule - failing authentication? On Sunday 27 October 2002 12:26 pm, John Snyder wrote: Hello all, I am trying to use the DatabaseServerLoginModule with jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do at this point is to secure a JSP page called Office.jsp. When I try to go to the JSP page, the login page comes up, as expected based on the web.xml configuration. When I fill in the username and password (for j_username and j_password), then click the submit button (action=j_security_check), the JBoss console displays, Added PC_CloudscapeDbRealm, org.jboss.security.plugins.SecurityDomainContext@a631cc to map, which I believe is telling me that JBoss is applying the PC_CloudscapeDbRealm security realm, which is what I want. My problem is twofold: First, I am not authenticated when I log in with a username/password combination that should pass authentication (the combination is in my security table). Well, here's some information from an application that I've been writing that seems to work just fine. In my web.xml I've specified a security constraint that looks like this: security-constraint web-resource-collection web-resource-name web-resource-nameAdminApp/web-resource-name url-pattern/admin/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-contraint role-nameadmin/role-name /auth-constraint /security-constraint So notice that I've specified some http-method blocks. I don't think it would make a difference, but you could try it (I don't know of defaults). Also, my experience has been that if a page isn't protected with a security constraint in an application, then the security credentials won't be available to that page. I suppose it makes sense, but it was unexpected behaviour to me. But that's probably not your problem either. Now, my login-config in web.xml looks like this: login-config auth-methodFORM/auth-method realm-namePlayground/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config Again, yours is identical, modulo page and realm differences. So that's not your problem either. In my jboss-web.xml file, I have something like this: jboss-web security-domainjava:/jaas/PLAYGROUND/security-domain ... /jboss-web Again, I think you're good. Now, in my login-config.xml file, I've done things a little differently. I am using MySQL, and have set up a MySqlDbRealm application-policy similar to your CloudscapeDbRealm. My PLAYGROUND application-policy is similar to yours, but it doesn't contain a managedConnectionFactoryName option, and the flag is 'sufficient' in mine, instead of required. application-policy name=PLAYGROUND authentication login-module code=org.jboss.security.auth.spi.DatabaseServerLoginModule flag=sufficient module-option name=dsJndiNamejava:/MySqlDS/module-option module-option name=principalsQuerySELECT Password FROM USERBASE_PRINCIPALS where PrincipalID=?/module-option module-option name=rolesQuerySELECT Role, RoleGroup FROM USERBASE_ROLES where PrincipalID=?/module-option module-option name=unauthenticatedIdentityguest/module-option /login-module /authentication /application-policy Here the unauthenticatedIdentity doesn't seem to have any effect, I just put it there to see if it would. I assume you've tested the SQL statements and they all work for you. I can't see any major places that you may have made a mistake. Second, if authentication fails, I should be redirected to the failed login page specified in my web.xml file, but I am not -- instead, the web browser just displays a Status 403 page, saying, message Access to the requested resource has been denied and description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Can anyone please explain this behavior, and more importantly, how to fix it? The relevant configuration files are as follows (in relevant part): Well, I was getting this as well
Re: [JBoss-user] DatabaseServerLoginModule - failing authentication?
Well, Derek, It seems the solution to your problem would be to learn and implement a Local interface to the CompanyHandlerBean. That would make it next to impossible for anything outside to be able to call it. It would only be accessible from within the same JVM. Now, other ways to secure the bean would be to firewall the machine and not allow access to the RMI lookup ports... but really, I think the best solution is to simply not implement a remote interface if you don't need one. It'll improve performance a little too, although local access to RMI classes can be set up to perform like local interfaces too. If you're talking about restricting access to your registercompany.jsp page, you'll have to go through the steps outlined in the other messages in this thread to put the .jsp page under a security-constraint, set up users and roles for your application, set up a login-config and a security domain, and protect that .jsp from access by anyone other than users with the declared roles you establish. Declarative security. If you want help with that after you've gone through the steps, I'd be happy to expound more on it. Cheers. -Neal On Sunday 27 October 2002 03:43 pm, Derek Lin wrote: I don't know what I am going to ask fits with this thread well. But my question is: Say I have to a bean, name CompanyHandlerBean. I want only my web (Tomcat or Jetty) to be able to call the methods (say registerCompany) in this bean. Now there is not log in process.--Any user can go to my registercompay.jsp page. How do I set up the security that only my web application can access my CompanyHandlerBean? Bascially, I don't want anyone who knows my ip and the name of the bean to call it from anywhere. Any help or pointers will be greatly appreciated. Thanks, Derek - Original Message - From: Neal Sanche [EMAIL PROTECTED] To: [EMAIL PROTECTED]; John Snyder [EMAIL PROTECTED] Sent: Sunday, October 27, 2002 10:58 AM Subject: Re: [JBoss-user] DatabaseServerLoginModule - failing authentication? On Sunday 27 October 2002 12:26 pm, John Snyder wrote: Hello all, I am trying to use the DatabaseServerLoginModule with jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do at this point is to secure a JSP page called Office.jsp. When I try to go to the JSP page, the login page comes up, as expected based on the web.xml configuration. When I fill in the username and password (for j_username and j_password), then click the submit button (action=j_security_check), the JBoss console displays, Added PC_CloudscapeDbRealm, org.jboss.security.plugins.SecurityDomainContext@a631cc to map, which I believe is telling me that JBoss is applying the PC_CloudscapeDbRealm security realm, which is what I want. My problem is twofold: First, I am not authenticated when I log in with a username/password combination that should pass authentication (the combination is in my security table). Well, here's some information from an application that I've been writing that seems to work just fine. In my web.xml I've specified a security constraint that looks like this: security-constraint web-resource-collection web-resource-name web-resource-nameAdminApp/web-resource-name url-pattern/admin/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-contraint role-nameadmin/role-name /auth-constraint /security-constraint So notice that I've specified some http-method blocks. I don't think it would make a difference, but you could try it (I don't know of defaults). Also, my experience has been that if a page isn't protected with a security constraint in an application, then the security credentials won't be available to that page. I suppose it makes sense, but it was unexpected behaviour to me. But that's probably not your problem either. Now, my login-config in web.xml looks like this: login-config auth-methodFORM/auth-method realm-namePlayground/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config Again, yours is identical, modulo page and realm differences. So that's not your problem either. In my jboss-web.xml file, I have something like this: jboss-web security-domainjava:/jaas/PLAYGROUND/security-domain ... /jboss-web Again, I think you're good. Now, in my login-config.xml file, I've done things a little differently. I am using MySQL, and have set up a MySqlDbRealm application-policy similar to your CloudscapeDbRealm. My PLAYGROUND application-policy is similar to yours, but it doesn't contain a managedConnectionFactoryName option, and the flag is 'sufficient' in mine, instead of required. application-policy name=PLAYGROUND authentication
Re: [JBoss-user] DatabaseServerLoginModule - failing authentication?
Neal, Thanks for your pointers and the offer for further help. Implementing only the local interface might solve my problem. But doesn't that defeats the whole remote access and portability (a bean can be anywhere) idea behind EJB's? -- What if I host the bean on the different box than the box in which my web app resides? (would that cause problems with clustering too? -- I'm thinking ahead here) How are people doing this in production env.?--Using firewall, ip detection...? (I'll address my questions to you when I have problems with the databaseloginmodule implementation. Thanks.) -- Derek - Original Message - From: Neal Sanche [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Derek Lin [EMAIL PROTECTED] Sent: Sunday, October 27, 2002 4:55 PM Subject: Re: [JBoss-user] DatabaseServerLoginModule - failing authentication? Well, Derek, It seems the solution to your problem would be to learn and implement a Local interface to the CompanyHandlerBean. That would make it next to impossible for anything outside to be able to call it. It would only be accessible from within the same JVM. Now, other ways to secure the bean would be to firewall the machine and not allow access to the RMI lookup ports... but really, I think the best solution is to simply not implement a remote interface if you don't need one. It'll improve performance a little too, although local access to RMI classes can be set up to perform like local interfaces too. If you're talking about restricting access to your registercompany.jsp page, you'll have to go through the steps outlined in the other messages in this thread to put the .jsp page under a security-constraint, set up users and roles for your application, set up a login-config and a security domain, and protect that .jsp from access by anyone other than users with the declared roles you establish. Declarative security. If you want help with that after you've gone through the steps, I'd be happy to expound more on it. Cheers. -Neal On Sunday 27 October 2002 03:43 pm, Derek Lin wrote: I don't know what I am going to ask fits with this thread well. But my question is: Say I have to a bean, name CompanyHandlerBean. I want only my web (Tomcat or Jetty) to be able to call the methods (say registerCompany) in this bean. Now there is not log in process.--Any user can go to my registercompay.jsp page. How do I set up the security that only my web application can access my CompanyHandlerBean? Bascially, I don't want anyone who knows my ip and the name of the bean to call it from anywhere. Any help or pointers will be greatly appreciated. Thanks, Derek - Original Message - From: Neal Sanche [EMAIL PROTECTED] To: [EMAIL PROTECTED]; John Snyder [EMAIL PROTECTED] Sent: Sunday, October 27, 2002 10:58 AM Subject: Re: [JBoss-user] DatabaseServerLoginModule - failing authentication? On Sunday 27 October 2002 12:26 pm, John Snyder wrote: Hello all, I am trying to use the DatabaseServerLoginModule with jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do at this point is to secure a JSP page called Office.jsp. When I try to go to the JSP page, the login page comes up, as expected based on the web.xml configuration. When I fill in the username and password (for j_username and j_password), then click the submit button (action=j_security_check), the JBoss console displays, Added PC_CloudscapeDbRealm, org.jboss.security.plugins.SecurityDomainContext@a631cc to map, which I believe is telling me that JBoss is applying the PC_CloudscapeDbRealm security realm, which is what I want. My problem is twofold: First, I am not authenticated when I log in with a username/password combination that should pass authentication (the combination is in my security table). Well, here's some information from an application that I've been writing that seems to work just fine. In my web.xml I've specified a security constraint that looks like this: security-constraint web-resource-collection web-resource-name web-resource-nameAdminApp/web-resource-name url-pattern/admin/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-contraint role-nameadmin/role-name /auth-constraint /security-constraint So notice that I've specified some http-method blocks. I don't think it would make a difference, but you could try it (I don't know of defaults). Also, my experience has been that if a page isn't protected with a security constraint in an application, then the security credentials won't be available to that page. I suppose it makes sense, but it was unexpected behaviour to me. But that's probably not your problem either. Now, my login-config in web.xml looks like this: login-config