I have the identical problem with JBoss 4.0.4, and I do have the correct DTD. The only way I can get JBoss to see my application policy is if I call it jboss.web in login-config.xml -- I noticed that I get a message
[JAASRealm] Set JAAS app name jboss.web every time I start my app. Trying to do things the "right" way, I have for my login-config.xml: | <?xml version='1.0'?> | <!DOCTYPE policy PUBLIC | "-//JBoss//DTD JBOSS Security Config 3.0//EN" | "http://www.jboss.org/j2ee/dtd/security_config.dtd";> | | <!-- The XML based JAAS login configuration read by the | org.jboss.security.auth.login.XMLLoginConfig mbean. Add | an application-policy element for each security domain. | | The outline of the application-policy is: | <application-policy name="security-domain-name"> | <authentication> | <login-module code="login.module1.class.name" flag="control_flag"> | <module-option name = "option1-name">option1-value</module-option> | <module-option name = "option2-name">option2-value</module-option> | ... | </login-module> | | <login-module code="login.module2.class.name" flag="control_flag"> | ... | </login-module> | ... | </authentication> | </application-policy> | | --> | | <policy> | <!-- Used by clients within the application server VM such as | mbeans and servlets that access EJBs. | --> | <application-policy name = "client-login"> | <authentication> | <login-module code = "org.jboss.security.ClientLoginModule" | flag = "required"> | <!-- Any existing security context will be restored on logout --> | <module-option name="restore-login-identity">true</module-option> | </login-module> | </authentication> | </application-policy> | | <!-- Security domain for JBossMQ --> | <application-policy name = "jbossmq"> | <authentication> | <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" | flag = "required"> | <module-option name = "unauthenticatedIdentity">guest</module-option> | <module-option name = "dsJndiName">java:/DefaultDS</module-option> | <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> | <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> | </login-module> | </authentication> | </application-policy> | | <!-- Security domain for JBossMQ when using file-state-service.xml | <application-policy name = "jbossmq"> | <authentication> | <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule" | flag = "required"> | <module-option name = "unauthenticatedIdentity">guest</module-option> | <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option> | </login-module> | </authentication> | </application-policy> | --> | | <!-- Security domains for testing new jca framework --> | <application-policy name = "HsqlDbRealm"> | <authentication> | <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" | flag = "required"> | <module-option name = "principal">sa</module-option> | <module-option name = "userName">sa</module-option> | <module-option name = "password"></module-option> | <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> | </login-module> | </authentication> | </application-policy> | | <application-policy name = "JmsXARealm"> | <authentication> | <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" | flag = "required"> | <module-option name = "principal">guest</module-option> | <module-option name = "userName">guest</module-option> | <module-option name = "password">guest</module-option> | <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> | </login-module> | </authentication> | </application-policy> | | <!-- A template configuration for the jmx-console web application. This | defaults to the UsersRolesLoginModule the same as other and should be | changed to a stronger authentication mechanism as required. | --> | <application-policy name = "jmx-console"> | <authentication> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" | flag = "required"> | <module-option name="usersProperties">props/jmx-console-users.properties</module-option> | <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> | </login-module> | </authentication> | </application-policy> | | <!-- A template configuration for the web-console web application. This | defaults to the UsersRolesLoginModule the same as other and should be | changed to a stronger authentication mechanism as required. | --> | <application-policy name = "$webConsoleDomain"> | <authentication> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" | flag = "required"> | <module-option name="usersProperties">web-console-users.properties</module-option> | <module-option name="rolesProperties">web-console-roles.properties</module-option> | </login-module> | </authentication> | </application-policy> | | <!-- A template configuration for the JBossWS web application (and transport layer!). | This defaults to the UsersRolesLoginModule the same as other and should be | changed to a stronger authentication mechanism as required. | --> | <application-policy name="JBossWS"> | <authentication> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" | flag="required"> | <module-option name="usersProperties">props/jbossws-users.properties</module-option> | <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> | <module-option name="unauthenticatedIdentity">anonymous</module-option> | </login-module> | </authentication> | </application-policy> | | <!-- The default login configuration used by any security domain that | does not have a application-policy entry with a matching name | --> | <application-policy name = "other"> | <!-- A simple server login module, which can be used when the number | of users is relatively small. It uses two properties files: | users.properties, which holds users (key) and their password (value). | roles.properties, which holds users (key) and a comma-separated list of | their roles (value). | The unauthenticatedIdentity property defines the name of the principal | that will be used when a null username and password are presented as is | the case for an unuathenticated web client or MDB. If you want to | allow such users to be authenticated add the property, e.g., | unauthenticatedIdentity="nobody" | --> | <authentication> | <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" | flag = "required" /> | </authentication> | </application-policy> | | <!-- Security domain for WebApp. It must be called jboss.web until I figure this out... --> | <application-policy name = "webappDomain"> | <authentication> | <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" | flag = "required"> | <module-option name = "dsJndiName">java:jdbc/web</module-option> | <module-option name = "principalsQuery">select password from Users where username=?</module-option> | <module-option name = "rolesQuery">select Role, 'Roles' from Roles where username=?</module-option> | <module-option name = "unauthenticatedIdentity">guest</module-option> | </login-module> | </authentication> | </application-policy> | </policy> | where webappDomain is the one I'm interested in. I notice that most of the application policies here are not bound into JNDI java:jaas (as shown by JNDIView) the way I would expect. In fact, the only ones I see are HsqlDbRealm, jbossmq, JmsXARealm, and (strangely) a java:jaas *under* the jaas branch. For completeness, here is jboss-web.xml as well: | <?xml version="1.0" encoding="UTF-8"?> | <jboss-web> | <security-domain>java:jaas/webappDomain</security-domain> | <context-root>/web</context-root> | <!-- Setup by JBoss container instead. | <resource-ref> | <res-ref-name>jdbc/web</res-ref-name> | <res-type>javax.sql.DataSource</res-type> | <jndi-name>java:jdbc/web</jndi-name> | </resource-ref> | --> | </jboss-web> | I have also tried editing jboss.xml, though I am not actually using this for EJBs yet. I package everything in an EAR. | <?xml version="1.0" encoding="UTF-8"?> | <jboss> | <security-domain>java:jaas/webappDomain</security-domain> | | <!-- Sets default container configuration for all entity beans --> | <container-configurations> | <container-configuration> | <!-- | <container-name>Standard CMP 2.x EntityBean</container-name> | --> | <container-name>Standard CMP 2.x EntityBean with cache invalidation</container-name> | <!-- Commit option A is already present for certain container configs --> | <commit-option>A</commit-option> | <!-- There are issues with cache invalidation and custom primary key classes. --> | <cache-invalidation>true</cache-invalidation> | <cache-invalidation-config> | <invalidation-group-name>webGroup</invalidation-group-name> | </cache-invalidation-config> | </container-configuration> | </container-configurations> | | <enterprise-beans> | <entity> | <ejb-name>AccountCategoryPricing</ejb-name> | <read-only>True</read-only> | </entity> | <entity> | <ejb-name>ProductData</ejb-name> | <read-only>True</read-only> | </entity> | </enterprise-beans> | </jboss> | Any help would be appreciated. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4005441#4005441 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4005441 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
