Hello,

I am trying to implement an integration between Declarative Security and JAAS.  I have specified in my web.xml file that all jsp files under the directory called "security" are protected and only accessible by the role "Admin".  I also specified in the web.xml file that Authentication is done by Login FORM.  I then created a configuration for the DatabaseSeverLoginModule in login-config.xml, and created a servlet that uses the LoginContext to authorize the user.  The Login page's form's action points to this servlet rather than <b>j_security_check</b>.  However, it doesn't seem to work, because I can't access the secure pages, even though I enter the correct username and password.  Here are my files:

<b>*****web.xml*****</b>

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <servlet>
        <servlet-name>loginservlet</servlet-name>
        <servlet-class>loginservlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>loginservlet</servlet-name>
        <url-pattern>/loginservlet</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>
    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>Secure Pages</web-resource-name>
            <description>Secure Pages</description>
            <url-pattern>/security/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>Admin</description>
            <role-name>Admin</role-name>
            </auth-constraint>
        </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Test Realm</realm-name>
        <form-login-config>
            <form-login-page>/Login.jsp</form-login-page>
            <form-error-page>/Error.jsp</form-error-page>
            </form-login-config>
        </login-config>
    <security-role>
        <description>Admin User
</description>
        <role-name>Admin</role-name>
    </security-role>
    </web-app>

<b>*****login-conf.xml*****</b>

<application-policy name="testDB">
          <authentication>
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="dsJndiName">java:/testDB</module-option>
       <module-option name="principalsQuery">SELECT password from Principals where PrincipalID =?</module-option>
       <module-option name="rolesQuery">SELECT Role, Rolegroup FROM roles WHERE principalid=?</module-option>
    </login-module>
       </authentication>
    </application-policy>

<b>****jboss-web.xml****</b>

<jboss-web>
  <security-domain>java:/jaas/testDB</security-domain>
  <context-root>/testJBOSSsecurity</context-root>
</jboss-web>

<b>****Login.jsp*****</b>

<FORM name="logonForm" action="loginservlet" METHOD="POST">
<TABLE width="100%" border="0" cellspacing="0" cellpadding="1" bgcolor="white">
<TABLE width="100%" border="0" cellspacing="0" cellpadding="5">
<TR align="center">
<TD align="right" class="Prompt"></TD>
<TD align="left">
<INPUT type="text" name="j_username" maxlength=20>
</TD>
</TR>
<TR align="center">
<TD align="right" class="Prompt"> </TD>
<TD align="left">
<INPUT type="password" name="j_password" maxlength=20>
<BR>
<TR align="center">
<TD align="right" class="Prompt"> </TD>
<TD align="left">
<input type="submit" value="Login">

<b>****loginservlet.java*****</b>

try {
                SecurityAssociationHandler handler = new
                SecurityAssociationHandler();
                Principal user = new SimplePrincipal(request.getParameter("j_username"));
                handler.setSecurityInfo(user, request.getParameter("j_password"));
                LoginContext loginContext = new LoginContext("testDB",(CallbackHandler)handler);
                loginContext.login();
                Subject subject = loginContext.getSubject();
                Set principals = subject.getPrincipals();
                principals.add(user);
                out.println(subject.toString());
                //response.sendRedirect("securepage.java");
}

So, those are my files.....What I am trying to do, is integrate JAAS and Declarative Security, so that I don't have to programatically declare which pages are accessed by which type of user.  However, When I reach the Login Form and enter the correct username and password, nothing happens....I can verify that the servlet code is correct, because I can directly visit the login page with out trying to access it by requesting a secure page, and I enter the correct username and password, and I get a print line of the subject's principals as they are in the database from the line <b>out.println(subject.toString());</b>

Your help is very appreciated
Thank You

Sam
<br><hr align="left" width="300">
View this message in context: <a href="http://www.nabble.com/Problem-with-JAAS-and-Declarative-Security-on-JBOSS-4.2.1-GA-tp17047330p17047330.html">Problem with JAAS and Declarative Security on JBOSS 4.2.1 GA</a><br>
Sent from the <a href="http://www.nabble.com/JBoss---Dev-f2633.html">JBoss - Dev mailing list archive</a> at Nabble.com.<br>