Re: JAAS authentication goes OK, but 403 occurs on requesting resources

Tue, 01 Apr 2008 23:22:09 -0700 


Hi Chuck,

Thanks for your reply. Here is my web.xml consider of security:

<security-constraint>
    <display-name>Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
        <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/protected/*</url-pattern>
      </web-resource-collection>
  <auth-constraint>
  <!-- Anyone with one of the listed roles may access this area -->
    <role-name>manager</role-name>
  </auth-constraint>
  </security-constraint>


  <!-- Default login configuration uses form-based authentication -->
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Example Form-Based Authentication Area</realm-name>
  <form-login-config>
  <form-login-page>/auth/login2.jsp</form-login-page>
  <form-error-page>/auth/error.jsp</form-error-page>
  </form-login-config>
  </login-config>

  <!-- Security roles referenced by this web application -->
  <security-role>
    <role-name>manager</role-name>
  </security-role>
Security role is out there, I believe. but I run tomcat in embedded way, start JAASRealm like this: 

        JAASRealm jaasRealm = new JAASRealm();
        this.embedded.setRealm(jaasRealm);
        jaasRealm.setUserClassNames("web.security.realm.WebUser");
        jaasRealm.setRoleClassNames("web.security.realm.WebRole");

// Start the embedded server
        this.embedded.start();
        running = true;

I don't know if there is problem in my Java code.

BR/Liyi


On Apr 2, 2008, at 12:34 AM, Caldarale, Charles R wrote:


From: Liyi Meng [mailto:[EMAIL PROTECTED]
Subject: JAAS authentication goes OK, but 403 occurs on
requesting resources



When login, authentication goes OK, but when requesting
a resource, I always get 403 access denied!
What's in the <security-constraint>, <login-config>, and <security- role> 
sections of the web.xml for your webapp?  Have you left out the
<security-role> element, by any chance?


Below is the code how I populate User and Role then save in Subject
Your code is very similar to mine, which does work, so I don't think the 
problem's there.

 - Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e- mail 
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to