[JBoss-user] JBoss 2.2: Servlet Authentication against JBoss realms. How ?

[Ijonas Kisselbach]

Hi,   I'm trying to authenticate servlets against a a JBoss realm. I've got the servlets and JSP authenticating against the org.apache.tomcat.request.SimpleRealm and tomcat-users.xml file. This works fine. But I know want to go to the next step and authenticate against a Jboss realm. Hence I've commented out the Tomcat security realm request interceptor from server.xml:   <!--         <RequestInterceptor             className="org.apache.tomcat.request.SimpleRealm"             debug="0" />  -->          <!-- JBoss, Map the current web user to the SecurityAssociation principal. -->        <RequestInterceptor className="org.jboss.tomcat.security.JbossRealm" />        I have changed my jboss.properties to point to tomcat/auth.conf :   java.security.auth.login.config==file:../conf/tomcat/auth.conf   My auth.conf looks as follows:   simple {     org.jboss.security.plugins.samples.SimpleServerLoginModule required; };   other {     org.jboss.security.plugins.samples.JaasServerLoginModule required; };   The security secions in my jboss.jcml file look as follows:     <!-- Security -->     <!-- Uncomment to enable the sample SRPVerifierStore service   <mbean code="org.jboss.security.plugins.SRPVerifierStoreService" name="Security:name=SRPVerifierStoreService">     <attribute name="JndiName">SRPDefaultVerifierSource</attribute>     <attribute name="StoreFile">SRPVerifierStore.ser</attribute>   </mbean> -->   <!-- Uncomment to enable the SRP login service   <mbean code="org.jboss.security.plugins.SRPService" name="service:name=SRPService">     <attribute name="JndiName">SRPServerInterface</attribute>     <attribute name="VerifierSourceJndiName">SRPDefaultVerifierSource</attribute>     <attribute name="AuthenticationCacheJndiName">SRPAuthenticationCache</attribute>     <attribute name="ServerPort">10099</attribute>   </mbean> -->     <!-- JAAS security manager and realm mapping -->   <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="Security:name=JaasSecurityManager">     <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>   </mbean>     <!-- Uncomment to enable the XML implementation of the JAAS policy   <mbean code="org.jboss.security.plugins.SecurityPolicyService" name="Security:name=SecurityPolicyService">     <attribute name="JndiName">DefaultSecurityPolicy</attribute>     <attribute name="PolicyFile">sample_policy.xml</attribute>   </mbean> --> As you can see fairly standard stuff a la the JAAS Howto.   Finally my web.xml that configures my servlets has the following section which worked under the SimpleRealm authentication provided by Tomcat:     <security-constraint>     <web-resource-collection>       <web-resource-name>Serv-C</web-resource-name>       <url-pattern>/*</url-pattern>     </web-resource-collection>     <auth-constraint>       <role-name>User</role-name>     </auth-constraint>   </security-constraint>     <login-config>     <auth-method>BASIC</auth-method>     <realm-name>other</realm-name>   </login-config>   <security-role>     <role-name>User</role-name>   </security-role>   <security-role>     <role-name>Superuser</role-name>   </security-role>   I would expect , upon accessing the default page, a dialogue box to appeat asking for username and password, which would then be authenticated against the roles.properties and user.properties files.   Where am I going wrong ?   Cheers, Ijonas.