Hello everyone,
I am using JBoss 4.0.2 w/Tomcat 5.5.9 (integrated) along with jTDS and
SQLServer for a project.
I would like to use DatabaseServerLoginModule and single sign-on. I've created
the approprite tables in my database for users and roles. I've created simple
jsp pages for login and login error. I've also modified my login-config.xml,
jboss-web.xml and web.xml to handle the security. I am using the Tomcat valve
for singlesignon.
However, when I test the protected resource with a valid userid and password, I
get a 403 error message. If I try to login with an invalid userid and password,
I get the error jsp that I created.
This tells me that I am authenticating the user, but I am probably screwing
something up with the roles as I cannot get access to the restricted resource
even with the correct userid and password.
What I am trying to accomplish is
1. Authenticate a user against the database tables for userid and appropriate
roles.
2. Use a custom error page when the user does not have access to the resource.
Uid/pw combo AND role
3. Use SSO across the various web-apps that will comprise this project. Is it
possible or correct for one web-app to handle all of the login/logout
processing? If a user tries to access a web-app can that web-app redirect the
user to a login page in another web-app? All of these web-apps will be in the
same container.
Any help that could be provided, would be most appreciated.
Thanks,
Howler
Here is my stuff
web.xml
|
| <?xml version="1.0" encoding="UTF-8"?>
| <web-app version="2.4"
| xmlns="http://java.sun.com/xml/ns/j2ee";
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
| xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
| http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
|
| <resource-ref>
| <res-ref-name>jdbc/DefaultDS</res-ref-name>
| <res-type>javax.sql.DataSource</res-type>
| <res-auth>Container</res-auth>
| </resource-ref>
|
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>A Protected Page</web-resource-name>
| <url-pattern>/greeting.jsp</url-pattern>
| <http-method>POST</http-method>
| <http-method>GET</http-method>
| </web-resource-collection>
|
| <auth-constraint>
| <role-name>admin</role-name>
| </auth-constraint>
|
| </security-constraint>
|
| <security-role>
| <role-name>admin</role-name>
| </security-role>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <form-login-config>
| <form-login-page>/login.jsp</form-login-page>
| <form-error-page>/loginerror.jsp</form-error-page>
| </form-login-config>
| </login-config>
| </web-app>
|
|
login-config.xml
|
|
| <?xml version='1.0'?>
| <!DOCTYPE policy PUBLIC
| "-//JBoss//DTD JBOSS Security Config 3.0//EN"
| "http://www.jboss.org/j2ee/dtd/security_config.dtd";>
|
| <!-- The XML based JAAS login configuration read by the
| org.jboss.security.auth.login.XMLLoginConfig mbean. Add
| an application-policy element for each security domain.
|
| The outline of the application-policy is:
| <application-policy name="security-domain-name">
| <authentication>
| <login-module code="login.module1.class.name" flag="control_flag">
| <module-option name = "option1-name">option1-value</module-option>
| <module-option name = "option2-name">option2-value</module-option>
| ...
| </login-module>
|
| <login-module code="login.module2.class.name" flag="control_flag">
| ...
| </login-module>
| ...
| </authentication>
| </application-policy>
|
| $Revision: 1.12.2.2 $
| -->
|
| <policy>
| <!-- Used by clients within the application server VM such as
| mbeans and servlets that access EJBs.
| -->
| <application-policy name = "client-login">
| <authentication>
| <login-module code = "org.jboss.security.ClientLoginModule"
| flag = "required">
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- Security domain for JBossMQ -->
| <application-policy name = "jbossmq">
| <authentication>
| <login-module code =
"org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag = "required">
| <module-option name =
"unauthenticatedIdentity">guest</module-option>
| <module-option name =
"dsJndiName">java:/DefaultDS</module-option>
| <module-option name = "principalsQuery">SELECT PASSWD FROM
JMS_USERS WHERE USERID=?</module-option>
| <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM
JMS_ROLES WHERE USERID=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- Security domain for JBossMQ when using file-state-service.xml
| <application-policy name = "jbossmq">
| <authentication>
| <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
| flag = "required">
| <module-option name =
"unauthenticatedIdentity">guest</module-option>
| <module-option name =
"sm.objectname">jboss.mq:service=StateManager</module-option>
| </login-module>
| </authentication>
| </application-policy>
| -->
|
| <!-- Security domains for testing new jca framework -->
| <application-policy name = "HsqlDbRealm">
| <authentication>
| <login-module code =
"org.jboss.resource.security.ConfiguredIdentityLoginModule"
| flag = "required">
| <module-option name = "principal">sa</module-option>
| <module-option name = "userName">sa</module-option>
| <module-option name = "password"></module-option>
| <module-option name =
"managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <application-policy name = "JmsXARealm">
| <authentication>
| <login-module code =
"org.jboss.resource.security.ConfiguredIdentityLoginModule"
| flag = "required">
| <module-option name = "principal">guest</module-option>
| <module-option name = "userName">guest</module-option>
| <module-option name = "password">guest</module-option>
| <module-option name =
"managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the jmx-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name = "jmx-console">
| <authentication>
| <login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option
name="usersProperties">props/jmx-console-users.properties</module-option>
| <module-option
name="rolesProperties">props/jmx-console-roles.properties</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the web-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name = "web-console">
| <authentication>
| <login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option
name="usersProperties">web-console-users.properties</module-option>
| <module-option
name="rolesProperties">web-console-roles.properties</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the JBossWS web application (and
transport layer!).
| This defaults to the UsersRolesLoginModule the same as other and
should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name="JBossWS">
| <authentication>
| <login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag="required">
| <module-option
name="unauthenticatedIdentity">anonymous</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- The default login configuration used by any security domain that
| does not have a application-policy entry with a matching name
| -->
| <application-policy name = "other">
| <!-- A simple server login module, which can be used when the number
| of users is relatively small. It uses two properties files:
| users.properties, which holds users (key) and their password (value).
| roles.properties, which holds users (key) and a comma-separated list
of
| their roles (value).
| The unauthenticatedIdentity property defines the name of the
principal
| that will be used when a null username and password are presented as
is
| the case for an unuathenticated web client or MDB. If you want to
| allow such users to be authenticated add the property, e.g.,
| unauthenticatedIdentity="nobody"
| -->
| <authentication>
| <login-module code =
"org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required" />
| </authentication>
| </application-policy>
|
| <application-policy name = "mysecurity">
| <authentication>
| <login-module code =
"org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
| <module-option name =
"unauthenticatedIdentity">guest</module-option>
| <module-option name =
"dsJndiName">java:/DefaultDS</module-option>
| <module-option name = "principalsQuery">SELECT
sec_user_password FROM SEC_USERS WHERE sec_user_id=?</module-option>
| <module-option name = "rolesQuery">SELECT Role
'Roles', RoleGroup 'RoleGroups' FROM SEC_USER_ROLES WHERE
sec_user_id=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| </policy>
|
jboss-web.xml
|
|
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-web>
| <resource-ref>
| <res-ref-name>jdbc/DefaultDS</res-ref-name>
| <res-type>javax.sql.DataSource</res-type>
| <res-auth>Container</res-auth>
| </resource-ref>
|
| <security-domain>java:/jaas/mysecurity</security-domain>
| </jboss-web>
|
|
I added the following to my log4j.xml file to get logging information.
|
|
| ...
| <category name="org.jboss.security">
| <priority value="TRACE" class="org.jboss.logging.XLevel"/>
| </category>
| ...
|
|
After checking server.log I see that it looks like I'm getting authenticated
and the correct role is being picked up. I'm still not sure why I am getting
403'd on my resource if I've got all of the information and assigned the
correct role to the resource.
|
|
| ...
|
| 2005-07-07 12:59:10,421 TRACE
[org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'jbrosan'
authenticated, loginOk=true
| 2005-07-07 12:59:10,421 TRACE
[org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
| 2005-07-07 12:59:10,499 TRACE
[org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role
admin
| 2005-07-07 12:59:10,499 TRACE
[org.jboss.security.plugins.JaasSecurityManager.myportal] updateCache,
subject=Subject:
| Principal: jbrosan
| Principal: admin(members:admin)
|
| 2005-07-07 12:59:10,499 TRACE
[org.jboss.security.plugins.JaasSecurityManager.myportal] Inserted cache info:
[EMAIL PROTECTED](7037214).principals=[jbrosan, admin(members:admin)],[EMAIL
PROTECTED],expirationTime=1120760944684]
| 2005-07-07 12:59:10,499 TRACE
[org.jboss.security.plugins.JaasSecurityManager.myportal] End isValid, true
| 2005-07-07 12:59:10,514 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
| Principal: jbrosan
| Principal: admin(members:admin)
| , principal=jbrosan
| 2005-07-07 12:59:10,514 TRACE
[org.jboss.security.plugins.JaasSecurityManager.myportal] getPrincipal, cache
info: [EMAIL PROTECTED](7037214).principals=[jbrosan,
admin(members:admin)],[EMAIL PROTECTED],expirationTime=1120760944684]
| 2005-07-07 12:59:10,514 TRACE
[org.jboss.security.plugins.JaasSecurityManager.myportal] getUserRoles,
subject: Subject:
| Principal: jbrosan
| Principal: admin(members:admin)
|
| 2005-07-07 12:59:10,624 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
| 2005-07-07 12:59:10,624 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
| Principal: jbrosan
| Principal: admin(members:admin)
| , principal=jbrosan
| 2005-07-07 12:59:10,639 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
| 2005-07-07 12:59:10,639 TRACE [org.jboss.security.SecurityAssociation]
clear, server=true
| 2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
| 2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
| Principal: jbrosan
| Principal: admin(members:admin)
| , principal=jbrosan
| 2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
| 2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation]
clear, server=true
| ...
|
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3884103#3884103
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3884103
-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
