[JBoss-user] Chaining login modules

[Gavin Hughes]

Title: Chaining login modules

I'm trying to set up a chain of login modules to support authenticating users accessing a web application.

I can get the UsersRolesLoginModule to work fine, but I'm now trying to chain this with the DatabaseServerLoginModule, with little success.

If I attempt to login with user credentials for a user stored in the properties files for UsersRolesLoginModule, I get an exception from the DatabaseServerLoginModule.

Vice versa, if I attempt to login with user credentials for a user stored in the database for DatabaseServerLoginModule , I get an exception from the UsersRolesLoginModule.

The relevant section from login-conf.xml is :

<application-policy name = "WebSecurityRealm">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "sufficient">

<module-option name = "dsJndiName">java:/OracleDS</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalId=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalId=?</module-option>

<module-option name = "unauthenticatedIdentity">nobody</module-option>

</login-module>

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "sufficient" >

<module-option name = "usersProperties">users.properties</module-option>
<module-option name = "rolesProperties">roles.properties</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>

</login-module>
</authentication>
</application-policy>

>From the documentation, I'm under the impression that setting "flag=sufficient" for each login module means that if a login module succeeds, then authentication is
successful, otherwise the next login module in the chain is called. Is this correct ?

Can someone point out what is wrong in the configuration above ?

I'm using JBoss3.0.0, XDoclet 1.1.2 and Oracle 9i on Windows XP.

Thanks,
Gavin.