Bugs item #529880, was opened at 2002-03-14 14:49 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=376685&aid=529880&group_id=22866
Category: CatalinaBundle Group: v3.0 Rabbit Hole Status: Open Resolution: None Priority: 5 Submitted By: Mike Finn (mikefinn) Assigned to: Scott M Stark (starksm) Summary: TCat 4.0.2: auth does not work, Jetty OK Initial Comment: Form based authentication does not appear to work in embedded Tomcat, but does with Jetty. OS: Win NT JVM: 1.3.01 JBoss: 3.0 Beta distros from SF (Jetty and Tomcat). I have a web app that uses FORM based authentication. jboss-web.xml and auth.conf are set up to use UserRolesLoginModule. In both Jetty and Tomcat builds, when I deploy the app in Jetty and attempt to access a protected resource, I get my login form. When I log in to the Jetty instance with the correct user/password, I get the requested (protected) page. When I do the same with Tomcat, I get a 403/access denied error page (NOT my form-error- page). Both Jetty and Tomcat instances have the same auth.conf, user.properties, and roles.properties files. I also tested this with standalone Tomcat 4.0.2 (which uses a tomcat-user file that has the same user/password/roles as JBoss/Tomcat|Jetty. This configuration works. Mike ---------------------------------------------------------------------- Comment By: Maurice Schoenmakers (maurice_s) Date: 2002-04-26 08:14 Message: Logged In: YES user_id=526908 Well after a wile of debugging, i figured out that the problemm is caused by different org.jboss.security.SecurityAssociation classes. The current embedded catalina code sets a single JBossSecurityMgrRealm for all deployed web apps. After authentication the principal & credential information is set globally using statics in the class org.jboss.security.SecurityAssociation. (to transfer it to the server(easy for sniffers?! ) Unfortunately there are multiple org.jboss.security.SecurityAssociation Classes available: The current code sets the information in the class of the global lib/jbosssx.jar, because the JBossSecurityMgrRealm does not use the correct ClassLoader. Each Web app has an own org.jboss.security.SecurityAssociation Class wich is not accessed by the JBossSecurityMgrRealm (If you include the client jars in your war file). Thus the principal&credential information is never set in the correct class and thus never transferred to the server. After changing the embedding code to set a new JBossSecurityMgrRealm for each deployed WebApp in the contextInit() method things worked fine for me. (I'm not sure how this affects single sign on across multile web apps ? ) ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=376685&aid=529880&group_id=22866 _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
