On Sunday 27 October 2002 12:26 pm, John Snyder wrote: > Hello all, > I am trying to use the DatabaseServerLoginModule with > jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do > at this point is to secure a JSP page called Office.jsp. > > When I try to go to the JSP page, the login page comes up, as > expected based on the web.xml configuration. When I fill in the > username and password (for j_username and j_password), then click > the submit button (action="j_security_check"), the JBoss console > displays, "Added PC_CloudscapeDbRealm, > org.jboss.security.plugins.SecurityDomainContext@a631cc to map", > which I believe is telling me that JBoss is applying the > PC_CloudscapeDbRealm security realm, which is what I want. > > My problem is twofold: > > First, I am not authenticated when I log in with a > username/password combination that should pass authentication (the > combination is in my security table).
Well, here's some information from an application that I've been writing that seems to work just fine. In my web.xml I've specified a security constraint that looks like this: <security-constraint> <web-resource-collection> <web-resource-name> <web-resource-name>AdminApp</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-contraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> So notice that I've specified some <http-method> blocks. I don't think it would make a difference, but you could try it (I don't know of defaults). Also, my experience has been that if a page isn't protected with a security constraint in an application, then the security credentials won't be available to that page. I suppose it makes sense, but it was unexpected behaviour to me. But that's probably not your problem either. Now, my login-config in web.xml looks like this: <login-config> <auth-method>FORM</auth-method> <realm-name>Playground</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginError.jsp</form-error-page> </form-login-config> </login-config> Again, yours is identical, modulo page and realm differences. So that's not your problem either. In my jboss-web.xml file, I have something like this: <jboss-web> <security-domain>java:/jaas/PLAYGROUND</security-domain> ... </jboss-web> Again, I think you're good. Now, in my login-config.xml file, I've done things a little differently. I am using MySQL, and have set up a MySqlDbRealm application-policy similar to your CloudscapeDbRealm. My PLAYGROUND application-policy is similar to yours, but it doesn't contain a managedConnectionFactoryName option, and the flag is 'sufficient' in mine, instead of required. <application-policy name="PLAYGROUND"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient"> <module-option name="dsJndiName">java:/MySqlDS</module-option> <module-option name="principalsQuery">SELECT Password FROM USERBASE_PRINCIPALS where PrincipalID=?</module-option> <module-option name="rolesQuery">SELECT Role, RoleGroup FROM USERBASE_ROLES where PrincipalID=?</module-option> <module-option name="unauthenticatedIdentity">guest</module-option> </login-module> </authentication> </application-policy> Here the unauthenticatedIdentity doesn't seem to have any effect, I just put it there to see if it would. I assume you've tested the SQL statements and they all work for you. I can't see any major places that you may have made a mistake. > Second, if authentication fails, I should be redirected to the > failed login page specified in my web.xml file, but I am not -- > instead, the web browser just displays a Status 403 page, saying, > "message Access to the requested resource has been denied" and > "description Access to the specified resource (Access to the > requested resource has been denied) has been forbidden." Can anyone > please explain this behavior, and more importantly, how to fix it? > The relevant configuration files are as follows (in relevant part): Well, I was getting this as well, and what you can do about it is add a section to your web.xml file like the following: <error-page> <error-code>403</error-code> <location>/authorizationError.jsp</location> </error-page> The only time I've been able to see the page specified by <form-error-page> is if the Roles for a user are not sufficient. If the username and password are incorrect, you'll get a 403 instead. I hope some of this helps you. Cheers. -Neal ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user