[jboss-user] [Security & JAAS/JBoss] - JDBC Realm

bjornn do-not-reply at jboss.com
Wed Aug 2 12:52:41 EDT 2006 

Hi all,

Following some hints, tips, articles I'm trying to develop a small sample using JAAS & JBoss.

I think I have understood the concepts, but when I start to code, things became hard... hehehe.

Maybe I have forgot something... I don't know exactaly.

According what I have read, I proceed like this:

Step 1: Declare a new application policy in login-config.xml at conf dir:
  |     <application-policy name = "jaas-webapp-domain">
  |         <authentication>
  |            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
  |               flag = "required">
  |               <module-option name = "unauthenticatedIdentity">pirata</module-option>
  |               <module-option name = "dsJndiName">jdbc/jaasDS</module-option>
  |               <module-option name = "principalsQuery">SELECT PASSWORD FROM USERS WHERE LOGIN=?</module-option>
  |               <module-option name = "rolesQuery">SELECT LOGIN, 'Roles' FROM ROLES WHERE LOGIN=?</module-option>
  |            </login-module>
  |         </authentication>
  |      </application-policy>

Step 2: Modify web.xml file:
  |  	<security-constraint>
  |  		<web-resource-collection>
  |  			<web-resource-name>página dos pebas</web-resource-name>
  |  			<url-pattern>/peba/*</url-pattern>
  |  		</web-resource-collection>
  |  		<auth-constraint>
  |  			<role-name>peba</role-name>
  |  		</auth-constraint>
  |  	</security-constraint>
  |  	
  |  	<security-role>
  |  		<role-name>peba</role-name>
  |  	</security-role>
  |  	
  |  	<login-config>
  |  		<auth-method>BASIC</auth-method>
  |  		<realm-name>jaas-webapp-realm</realm-name>
  |  	</login-config>

Step 3: add jboss-web.xml inside WEB-INF dir. Like this:
  | <?xml version="1.0" encoding="UTF-8"?>
  |  <jboss-web>
  |  	<security-domain>java:/jaas/jaas-webapp-domain</security-domain>
  |  </jboss-web>

I have tried to write de sql to query principals in a WRONG WAY (i.e. missing table name after from keywork, missing where keyword) just to see if jboss would complain, tell me that something was wrong.... But nothing happened. I think it isn't called...

IE shows me the login window, I try 3 times, and I get a forbidden error... but no sql error appears in jboss log...

Maybe tag X in file Y must have the same value as tag Z in file W and I didn't realize...

What I'm doing wrong? should I find some reference to my security domain(java:/jaas/jaas-webapp-domain ) in jmx-console? I didn't found. My datasources are there... I found them...

I hope that you can understand me e send me some help.
Thanks in advance.

Excuse me for any english mistakes.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962555#3962555

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962555

More information about the jboss-user mailing list