On Sunday 27 October 2002 12:26 pm, John Snyder wrote:
> Hello all,
> I am trying to use the DatabaseServerLoginModule with
> jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do
> at this point is to secure a JSP page called Office.jsp.
>
> When I try to go to the JSP page, the login page comes up, as
> expected based on the web.xml configuration. When I fill in the
> username and password (for j_username and j_password), then click
> the submit button (action="j_security_check"), the JBoss console
> displays, "Added PC_CloudscapeDbRealm,
> org.jboss.security.plugins.SecurityDomainContext@a631cc to map",
> which I believe is telling me that JBoss is applying the
> PC_CloudscapeDbRealm security realm, which is what I want.
>
> My problem is twofold:
>
> First, I am not authenticated when I log in with a
> username/password combination that should pass authentication (the
> combination is in my security table).
Well, here's some information from an application that I've been
writing that seems to work just fine. In my web.xml I've specified a
security constraint that looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>
<web-resource-name>AdminApp</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-contraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
So notice that I've specified some <http-method> blocks. I don't think
it would make a difference, but you could try it (I don't know of
defaults).
Also, my experience has been that if a page isn't protected with a
security constraint in an application, then the security credentials
won't be available to that page. I suppose it makes sense, but it was
unexpected behaviour to me. But that's probably not your problem
either.
Now, my login-config in web.xml looks like this:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Playground</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
Again, yours is identical, modulo page and realm differences. So
that's not your problem either.
In my jboss-web.xml file, I have something like this:
<jboss-web>
<security-domain>java:/jaas/PLAYGROUND</security-domain>
...
</jboss-web>
Again, I think you're good. Now, in my login-config.xml file, I've
done things a little differently. I am using MySQL, and have set up a
MySqlDbRealm application-policy similar to your CloudscapeDbRealm. My
PLAYGROUND application-policy is similar to yours, but it doesn't
contain a managedConnectionFactoryName option, and the flag is
'sufficient' in mine, instead of required.
<application-policy name="PLAYGROUND">
<authentication>
<login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="sufficient">
<module-option name="dsJndiName">java:/MySqlDS</module-option>
<module-option name="principalsQuery">SELECT Password FROM
USERBASE_PRINCIPALS where PrincipalID=?</module-option>
<module-option name="rolesQuery">SELECT Role, RoleGroup FROM
USERBASE_ROLES where PrincipalID=?</module-option>
<module-option
name="unauthenticatedIdentity">guest</module-option>
</login-module>
</authentication>
</application-policy>
Here the unauthenticatedIdentity doesn't seem to have any effect, I
just put it there to see if it would.
I assume you've tested the SQL statements and they all work for you. I
can't see any major places that you may have made a mistake.
> Second, if authentication fails, I should be redirected to the
> failed login page specified in my web.xml file, but I am not --
> instead, the web browser just displays a Status 403 page, saying,
> "message Access to the requested resource has been denied" and
> "description Access to the specified resource (Access to the
> requested resource has been denied) has been forbidden." Can anyone
> please explain this behavior, and more importantly, how to fix it?
> The relevant configuration files are as follows (in relevant part):
Well, I was getting this as well, and what you can do about it is add
a section to your web.xml file like the following:
<error-page>
<error-code>403</error-code>
<location>/authorizationError.jsp</location>
</error-page>
The only time I've been able to see the page specified by
<form-error-page> is if the Roles for a user are not sufficient. If
the username and password are incorrect, you'll get a 403 instead.
I hope some of this helps you.
Cheers.
-Neal
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
