Hi David, thank you very much for your help.
I've configured all the files you said. Are you using Jboss 2.4.3 Tomcat 4? I had problem in security authentications with this version. It's for that reason that I tried the previous release of tomcat. My problem was that the server seemed to recognize the user 'cause it printed the following: [EmbeddedCatalinaServiceSX] jsp: init [Default] User 'leonardi' authenticated. but then the user got an HTTP-403 error. If the same user tried to access the same resource again, the login went well. I couldn't figure out the problem, so I posted the question here and someone told me that tomcat 4 is buggy with security. Anyway when I installed Jboss 2.4.3 Tomcat 3.2.3 my application did not work well and gave me problems that I had not before! For examples I couldn't use the jakarta xsl taglibs (with Jboss 2.4.3 Tomcat 4 it worked!), and it couldn't recognize security restriction anymore! Looks strange, doesn't it?! If only I could fix the security problem with Jboss 2.4.3 Tomcat 4, it would be the end of all my troubles!!! Any idea? Thanks again >From: "David Hamilton" <[EMAIL PROTECTED]> >To: "Andrea Cervellati" <[EMAIL PROTECTED]> >Subject: Re: [JBoss-user] security problem with Jboss+Tomcat >Date: Wed, 23 Jan 2002 19:14:48 -0000 >MIME-Version: 1.0 >Content-Transfer-Encoding: 8bit >X-Priority: 3 >X-MSMail-Priority: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 > >Hi Andrea, > >I'm going to give a list of things to check. Not all of them may be >required for you (depending on what you're trying to do) and some of them >are part of the standard installation. > >web.xml (in .war/.ear file) - need to specify secured area and login type. > >jboss-web.xml (in .war/.ear file) - need to specify security domain name to >sync up with that used in jboss.xml > >jboss.jcml (jboss conf/tomcat dir) - need the JaasSecurityManagerService >mbean (standard installation). > >auth.conf (jboss conf/tomcat dir) - need an entry to match the security >domain name in jboss-web.xml and jboss.xml > >ejb-jar.xml (in .jar/.ear file) - need security roles for the beans. To >allow unsecured access to a bean, put </unchecked> in the ><method-permission> element where you would normally have <role-name>. > >jboss.xml (in .jar/.ear file) - optionally need <enforce-ejb-restrictions > >entry with 'true'. Definitely need <security-domain> entry with the >security domain name (see jboss-web.xml and auth.conf). > >Hope this helps > david > >----- Original Message ----- >From: "Andrea Cervellati" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Wednesday, January 23, 2002 4:12 PM >Subject: RE: [JBoss-user] security problem with Jboss+Tomcat > > >Hi, > >I've installed the Jboss2.4.3_tomcat3.2.3 > >I can't understand why, but the same application that I had before >running on JBoss2.4.3_tomcat4 now doesn't work! > >Any security constraint is ignored now! OMG! >I'm wasting a lot of time trying to understand the reason. >In addition I had another problem now that before I had not: the jakarta xsl >taglib doesn't work! I need that taglib! > >How is it possible?! > >This is a bad nightmare! > >Someone suggested me to try with tomcat4.0.2 b2 but I don't know if it is a >good idea. They say that milestones versions are buggy! >And I don't know if I'm able to configure it with jboss (I was using the >jboss+tomcat package before) > > >please help! > > >>From: "Sternagel Annegret (PN-SYS/PE)" <[EMAIL PROTECTED]> >>To: "'Andrea Cervellati'" <[EMAIL PROTECTED]> >>Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >>Subject: RE: [JBoss-user] security problem with Jboss+Tomcat >>MIME-Version: 1.0 >>X-BeenThere: [EMAIL PROTECTED] >>X-Mailman-Version: 2.0.5 >>List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >>List-Post: <mailto:[EMAIL PROTECTED]> >>List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/jboss-user>, ><mailto:[EMAIL PROTECTED]?subject=subscribe> >>List-Id: The JBoss User main mailing list ><jboss-user.lists.sourceforge.net> >>List-Unsubscribe: ><https://lists.sourceforge.net/lists/listinfo/jboss-user>, ><mailto:[EMAIL PROTECTED]?subject=unsubscribe> >>List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=jboss-user> >>X-Original-Date: Tue, 22 Jan 2002 15:46:04 +0100 >>Date: Tue, 22 Jan 2002 15:46:04 +0100 >>Content-Transfer-Encoding: 8bit >>X-MIME-Autoconverted: from quoted-printable to 8bit by sparc20.ing.unimo.it >id >QAA11854 >> >>Hello Andrea, >> >>I don't know how to solve your strange problem. >>What I can say: >> >>the server output >> [Default] User 'leonardi' authenticated. >>shows that the user is recognized and the password is correct, >>it says nothing about access rights. >>The access rights are checked during the first access to a secured bean. >> >>Which exception exactly occurs when the login fails ? >>Can you post the StackTrace ? >> >>Annegret >> >>P.S: Please post also to the list not only to me ;-) >> >>-----Urspr�ngliche Nachricht----- >>Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] >>Gesendet: Dienstag, 22. Januar 2002 14:48 >>An: [EMAIL PROTECTED] >>Betreff: RE: [JBoss-user] security problem with Jboss+Tomcat >> >> >>Thank you very much for the advice. >> >>I separated the ejbs into two different jar files and I fixed the problem. >> >>Anyway I have another problem. >> >>When I start up the server, the first user that tries to access the >>protected >>resources gets the login failure even if the credentials are right. The >>strange >>thing is that the server seems to recognize the user 'cause it prints the >>following: >> >>[EmbeddedCatalinaServiceSX] jsp: init >>[Default] User 'leonardi' authenticated. >> >>Another strange thing is that if the same user tries to access the same >>resource >>again, the login goes well. >> >>This happens not only with the user 'leonardi' but with any other user that >>is >>the first after a start up operation. >> >>I'm using a database login module and I have the configuration bound under >>the >>JNDI name 'java:/jaas/modulojdbc'. When the server is deploying the app I >>can >>read the message: >> >>[Container factory] Deploying MatDidEJB >>[Default] lookup securityDomain manager name: java:/jaas/modulojdbc >>[JaasSecurityManagerService] Created >>securityMgr=org.jboss.security.plugins.JaasSecurityManager@4cd580 >>[JaasSecurityManagerService] setCachePolicy, c=null >>[JaasSecurityManagerService] Added modulojdbc, >>org.jboss.security.plugins.JaasSecurityManager@4cd580 to map >> >>so it seems everything is ok! >> >>So what should I do? >> >>Thanks again >> >> >> >>>From: "Sternagel Annegret (PN-SYS/PE)" <[EMAIL PROTECTED]> >>>To: [EMAIL PROTECTED] >>>Subject: RE: [JBoss-user] security problem with Jboss+Tomcat >>>MIME-Version: 1.0 >>>X-BeenThere: [EMAIL PROTECTED] >>>X-Mailman-Version: 2.0.5 >>>List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >>>List-Post: <mailto:[EMAIL PROTECTED]> >>>List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/jboss-user>, >><mailto:[EMAIL PROTECTED]?subject=subscribe> >>>List-Id: The JBoss User main mailing list >><jboss-user.lists.sourceforge.net> >>>List-Unsubscribe: >><https://lists.sourceforge.net/lists/listinfo/jboss-user>, >><mailto:[EMAIL PROTECTED]?subject=unsubscribe> >>>List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=jboss-user> >>>X-Original-Date: Tue, 22 Jan 2002 09:39:08 +0100 >>>Date: Tue, 22 Jan 2002 09:39:08 +0100 >>>Content-Transfer-Encoding: 8bit >>>X-MIME-Autoconverted: from quoted-printable to 8bit by >sparc20.ing.unimo.it >>id >>KAA06826 >>> >>>The security-doamin in jboss.xml is valid for all beans it belongs to. If >>>you want to restrict the security to particulary beans separate them in >>>different jars with different jboss.xml. >>> >>>Annegret >>> >>>-----Urspr�ngliche Nachricht----- >>>Von: Andrea Cervellati [mailto:[EMAIL PROTECTED]] >>>Gesendet: Montag, 21. Januar 2002 17:56 >>>An: [EMAIL PROTECTED] >>>Betreff: [JBoss-user] security problem with Jboss+Tomcat >>> >>> >>>Hi, >>> >>> I'm using JBoss and Tomcat for my web application. >>> >>> I have two stateful session ejbs: InsegnamentiEJB and MatDidEJB. >>> >>> The MatDidEJB is restricted to a security domain, but the other is not. >>> So I did not specify any method permission in the ejb-jar.xml for the >>first >>> >>> bean, but only for the second one: >>> >>> <assembly-descriptor> >>> <security-role> >>> <role-name>docente</role-name> >>> <assembly-descriptor> >>> >>> <method-permission> >>> <role-name>docente</role-name> >>> <method> >>> <ejb-name>MatDidEJB</ejb-name> >>> <method-name>*</method-name> >>> </method> >>> </method-permission> >>> >>> I want to use the database login module for the authentication of users >so >>>I >>>had >>> to change the standard configurations adding the following jboss.xml: >>> >>> <jboss> <security-domain>java:/jaas/modulojdbc</security-domain> >>> </jboss> >>> >>> where modulojdbc is the JNDI name of the authorization configuration in >>the >>> >>> auth.conf file. >>> >>> Then I have two JSPs: Insegnamenti.jsp and MatDid.jsp. >>> >>> When the user connects to the first he/she doesn't need to be >>authenticated >>>and >>> can access to the related ejb. >>> On the bottom of the page there is a link to the other jsp and if the >user >> >>> clicks it he/she must authenticate himself/herself with a login form. >>> >>> My web.xml contains the following: >>> >>> <security-constraint> >>> >>> <web-resource-collection> >>> <web-resource-name>area riservata</web-resource-name> >>> <url-pattern>/MatDid.jsp</url-pattern> >>> <http-method>DELETE</http-method> >>> <http-method>GET</http-method> >>> <http-method>POST</http-method> >>> <http-method>PUT</http-method> >>> </web-resource-collection> >>> >>> <auth-constraint> >>> <role-name>docente</role-name> >>> </auth-constraint> >>> >>> </security-constraint> >>> >>> >>> The problem is that when the user connect to the Insegnamenti.jsp and >>tries >>>to >>> connect to the InsegnamentiEJB the following exception occurs: >>> >>> javax.servlet.ServletException: checkSecurityAssociation; >>> nested exception is: >>> java.lang.SecurityException: Authentication exception, >>> principal=null; nested exception is: >>> java.rmi.RemoteException: checkSecurityAssociation; nested >>> exception is: >>> java.lang.SecurityException: Authentication exception, >>> principal=null >>> >>> It seems that as long as I set the jboss configuration with the >jboss.xml, >>>any >>> user that try to access the beans must be authenticated! WHY?! >>> >>> How can I restrict the authentication only to ONE particular ejb? >>> >>> PLEASE HELP!!!!! >>> >>> Thanks in advance >>> >>> bye >>> >>> >>>_______________________________________________ >>>JBoss-user mailing list >>>[EMAIL PROTECTED] >>>https://lists.sourceforge.net/lists/listinfo/jboss-user >>> >>>_______________________________________________ >>>JBoss-user mailing list >>>[EMAIL PROTECTED] >>>https://lists.sourceforge.net/lists/listinfo/jboss-user >> >>_______________________________________________ >>JBoss-user mailing list >>[EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/jboss-user > > >_______________________________________________ >JBoss-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/jboss-user > > _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
