I don't know what I am going to ask fits with this thread well. But my question is:
Say I have to a bean, name CompanyHandlerBean. I want only my web (Tomcat or Jetty) to be able to call the methods (say registerCompany) in this bean. Now there is not log in process.--Any user can go to my registercompay.jsp page. How do I set up the security that only my web application can access my CompanyHandlerBean? Bascially, I don't want anyone who knows my ip and the name of the bean to call it from anywhere. Any help or pointers will be greatly appreciated. Thanks, Derek ----- Original Message ----- From: "Neal Sanche" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "John Snyder" <[EMAIL PROTECTED]> Sent: Sunday, October 27, 2002 10:58 AM Subject: Re: [JBoss-user] DatabaseServerLoginModule - failing authentication? > On Sunday 27 October 2002 12:26 pm, John Snyder wrote: > > Hello all, > > I am trying to use the DatabaseServerLoginModule with > > jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do > > at this point is to secure a JSP page called Office.jsp. > > > > When I try to go to the JSP page, the login page comes up, as > > expected based on the web.xml configuration. When I fill in the > > username and password (for j_username and j_password), then click > > the submit button (action="j_security_check"), the JBoss console > > displays, "Added PC_CloudscapeDbRealm, > > org.jboss.security.plugins.SecurityDomainContext@a631cc to map", > > which I believe is telling me that JBoss is applying the > > PC_CloudscapeDbRealm security realm, which is what I want. > > > > My problem is twofold: > > > > First, I am not authenticated when I log in with a > > username/password combination that should pass authentication (the > > combination is in my security table). > > Well, here's some information from an application that I've been > writing that seems to work just fine. In my web.xml I've specified a > security constraint that looks like this: > > <security-constraint> > <web-resource-collection> > <web-resource-name> > <web-resource-name>AdminApp</web-resource-name> > <url-pattern>/admin/*</url-pattern> > <http-method>POST</http-method> > <http-method>GET</http-method> > </web-resource-collection> > > <auth-contraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > So notice that I've specified some <http-method> blocks. I don't think > it would make a difference, but you could try it (I don't know of > defaults). > > Also, my experience has been that if a page isn't protected with a > security constraint in an application, then the security credentials > won't be available to that page. I suppose it makes sense, but it was > unexpected behaviour to me. But that's probably not your problem > either. > > Now, my login-config in web.xml looks like this: > > <login-config> > <auth-method>FORM</auth-method> > <realm-name>Playground</realm-name> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/loginError.jsp</form-error-page> > </form-login-config> > </login-config> > > Again, yours is identical, modulo page and realm differences. So > that's not your problem either. > > In my jboss-web.xml file, I have something like this: > > <jboss-web> > <security-domain>java:/jaas/PLAYGROUND</security-domain> > ... > </jboss-web> > > Again, I think you're good. Now, in my login-config.xml file, I've > done things a little differently. I am using MySQL, and have set up a > MySqlDbRealm application-policy similar to your CloudscapeDbRealm. My > PLAYGROUND application-policy is similar to yours, but it doesn't > contain a managedConnectionFactoryName option, and the flag is > 'sufficient' in mine, instead of required. > > <application-policy name="PLAYGROUND"> > <authentication> > <login-module > code="org.jboss.security.auth.spi.DatabaseServerLoginModule" > flag="sufficient"> > <module-option name="dsJndiName">java:/MySqlDS</module-option> > <module-option name="principalsQuery">SELECT Password FROM > USERBASE_PRINCIPALS where PrincipalID=?</module-option> > <module-option name="rolesQuery">SELECT Role, RoleGroup FROM > USERBASE_ROLES where PrincipalID=?</module-option> > <module-option > name="unauthenticatedIdentity">guest</module-option> > </login-module> > </authentication> > </application-policy> > > Here the unauthenticatedIdentity doesn't seem to have any effect, I > just put it there to see if it would. > > I assume you've tested the SQL statements and they all work for you. I > can't see any major places that you may have made a mistake. > > > Second, if authentication fails, I should be redirected to the > > failed login page specified in my web.xml file, but I am not -- > > instead, the web browser just displays a Status 403 page, saying, > > "message Access to the requested resource has been denied" and > > "description Access to the specified resource (Access to the > > requested resource has been denied) has been forbidden." Can anyone > > please explain this behavior, and more importantly, how to fix it? > > The relevant configuration files are as follows (in relevant part): > > Well, I was getting this as well, and what you can do about it is add > a section to your web.xml file like the following: > > <error-page> > <error-code>403</error-code> > <location>/authorizationError.jsp</location> > </error-page> > > The only time I've been able to see the page specified by > <form-error-page> is if the Roles for a user are not sufficient. If > the username and password are incorrect, you'll get a 403 instead. > > I hope some of this helps you. > > Cheers. > > -Neal > > > > ------------------------------------------------------- > This SF.net email is sponsored by: ApacheCon, November 18-21 in > Las Vegas (supported by COMDEX), the only Apache event to be > fully supported by the ASF. http://www.apachecon.com > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user > ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
