I have a small web application (just a tutorial) that I want to secure with
JAAS on Jboss but it seems I haÃÂve missed something some where so the
authentication is always failing sending me to the login-error.jsp page I have
created and mapped. See cod below.
My environment:
Jboss 5.0.0GA, Eclipse Ganymede, MySql 5.1.30-community, Windows Vista
A. The Code
1. database
Principals table:
CREATE TABLE Principals (
PrincipalID VARCHAR (64) PRIMARY KEY,
Password VARCHAR (64)
)
Roles Table:
CREATE TABLE Roles (
PrincipalId varchar(255) NOT NULL default '',
Role varchar(255) NOT NULL default '',
RoleGroup varchar(255) NOT NULL default '',
PRIMARY KEY(PrincipalId)
)
2. login-config.xml
<application-policy name="formbasedPolicyDomainDb">
<login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:/mysqlDs</module-option>
<module-option name="principalsQuery">
select Password from Principals where
PrincipalID=?</module-option>
<module-option name="rolesQuery">
select Role 'Roles', RoleGroup 'RoleGroups' from Roles
where PrincipalId=?</module-option>
</login-module>
</application-policy>
3. jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/formbasedPolicyDomainDb</security-domain>
<resource-ref>
<res-ref-name>jdbc/mysqlDs</res-ref-name>
<jndi-name>java:/jdbc/mysqlDs</jndi-name>
</resource-ref>
</jboss-web>
4. web.xml
<resource-ref>
Mysql Datasource mapping
<res-ref-name>jdbc/mysqlDs</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted to Secure role</web-resource-name>
Declarative security
<url-pattern>/admin/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted to Secure role</web-resource-name>
Declarative security
<url-pattern>/client/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Client</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>User</role-name>
</security-role>
<security-role>
<role-name>Client</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
Note that I have the data source with jndi name jdbc/mysqlDs mapped in
Mysql-ds.xml deployed in Jboss_home/../deploy directory
5. Index.jsp
('<' intentionally removed from a href to display the code rather than an
actual link)
a href="<%= request.getContextPath() %>/admin/admin.jsp">Admin Page
a href="<%= request.getContextPath() %>/client/client.jsp">Client Page
a href="<%= request.getContextPath() %>/logout.jsp">Log out
When user try to go to either admin.jsp or client.jsp, they are correctly
redirected to login.jsp if they are not logged in.
6. Login.jsp
(close and opened tags intentionally removed to display the code rather than
the actual html page)
html
head title login page title head
body
form method="POST" action="j_security_check"
Username: input type="text" name="j_username"
Password: <input type="password" name="j_password"
input type="submit" value="Login"
form
body
html
The issue:
The authentication does not work, it always sends me to login-error.jsp mapped
in web.xml
I dont know what j_security_check is and I cant seem to tie it in with my login
module DatabaseServerLoginModule defined in login-config.xml
I have seen elsewhere that I may need to write a call back handler but how do I
tie it in with j_security_check and my login module?
Please help:
Here is an output from my Jboss log I have enabled security logging so I can
see the username being authenticated. user3 below in the log has the role
called Client in the Roles table and this Client role is maped correctly in
web.xml
if you wish to see my war file, please email me at dooze77 at gmail dot com
2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase]
(http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to
Secure role]' against GET /client/client.jsp --> false
2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase]
(http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to
Secure role]' against GET /client/client.jsp --> true
2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase]
(http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to
Secure role]' against GET /client/client.jsp --> false
2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.realm.RealmBase]
(http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to
Secure role]' against GET /client/client.jsp --> true
2009-07-18 06:57:07,181 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1)
Calling hasUserDataPermission()
2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.realm.RealmBase]
(http-127.0.0.1-8080-1) User data constraint has no restrictions
2009-07-18 06:57:07,184 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1)
Calling authenticate()
2009-07-18 06:57:07,184 DEBUG
[org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1)
Save request in session '1A8034E59C5FF30260B6699B53356B69'
2009-07-18 06:57:07,205 DEBUG
[org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/JAASFormAuth].[jsp]]
(http-127.0.0.1-8080-1) Disabling the response for futher output
2009-07-18 06:57:07,205 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1)
Failed authenticate() test
2009-07-18 06:57:16,864 DEBUG [org.apache.catalina.connector.CoyoteAdapter]
(http-127.0.0.1-8080-1) Requested cookie session id is
1A8034E59C5FF30260B6699B53356B69
2009-07-18 06:57:16,865 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1)
Security checking request POST /JAASFormAuth/client/j_security_check
2009-07-18 06:57:16,866 DEBUG
[org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1)
Authenticating username 'user3'
2009-07-18 06:57:16,873 DEBUG
[org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/JAASFormAuth].[jsp]]
(http-127.0.0.1-8080-1) Disabling the response for futher output
2009-07-18 06:57:16,873 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1)
Failed authenticate() test ??/JAASFormAuth/client/j_security_check
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase]
(ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions
StandardManager at 1247925469443 sessioncount 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase]
(ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions
StandardManager processingTime 0 expired sessions: 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase]
(ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions
StandardManager at 1247925469443 sessioncount 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase]
(ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions
StandardManager processingTime 0 expired sessions: 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase]
(ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions
StandardManager at 1247925469443 sessioncount 0
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4244472#4244472
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4244472
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
