[jboss-user] [Security & JAAS/JBoss] - One security domain, two web apps

bezdomny do-not-reply at jboss.com
Thu Sep 14 14:27:59 EDT 2006 

I currently have two web apps, Identity and Business. Idenity is currently configured to use jaas/jboss with a custom login module and it works great. I now have this new app that I want to secure and I want to use Identity security domain and login module. I have added the following to the jbos-web.xml in the Business app (exact same as in the Identity app jboss-web.xml):

<jboss-web>
<security-domain flushOnSessionInvalidation="true">java:/jaas/Identity</security-domain>
<resource-ref>
	<res-ref-name>jdbc/cidb</res-ref-name>
	<jndi-name>java:/jdbc/cidb</jndi-name>
</resource-ref>

</jboss-web>

I have also added the requisite security role/form login stuff in Business web.xml. As follows:

<security-role>
	basic client users
	<role-name>client</role-name>
</security-role>

<security-role>
	basic analyst users
	<role-name>analyst</role-name>
</security-role>


<security-constraint>  
  <web-resource-collection> 
    <web-resource-name>
      client files
    </web-resource-name>
    <url-pattern>*.do</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>client</role-name>
       <role-name>analyst</role-name>
  </auth-constraint>
 </security-constraint>



<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Identity</realm-name>
  <form-login-config>
	<form-login-page>/common/start.jsp</form-login-page>
	<form-error-page>/common/loginerror.jsp</form-error-page>
</form-login-config>
  
Now for the question :)
When I hit one of the Business apps struts pages like /Business/initSplashPage.do, I get the proper login screen. When I try to authenticate, the auth fails and I'm returned to the login screen. Actually my login module isn't even being called. I'm assuming that the reason is that my custom login module isn't visible in the classpath of the business app since it actually lives inside the Identity app. Is this correct? Shouldn't jboss be able to call my custom login module from wherever it lives? 

Now for the weird part. When I authenticate as normal in the Identity app, then click over to the Business app, it passes my auth info fine and recognises I'm logged in, and the app works fine. This isn't such a big deal as my clients will always go through the Identity app to the business app, but I don't know why it won't work just authenticaing in the biz app. 
Any ideas?
Thanks!
B

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3971656#3971656

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3971656

More information about the jboss-user mailing list