[jboss-user] [Security & JAAS/JBoss] - Re: Latest JAAS Tutorial for Database communication
smeaggie
do-not-reply at jboss.com
Mon Feb 19 11:11:00 EST 2007
don't know about jGuard, but this is JAAS with database login (a real quicky tho, feel free to ask more).
1) setup the connection to the database. put a "database-ds.xml" file in the deploy directory wich contains something like:
| <datasources>
| <local-tx-datasource>
| <jndi-name>exampleDS</jndi-name>
| <connection-url>jdbc:postgresql://127.0.0.1:5432/example</connection-url>
| <driver-class>org.postgresql.Driver</driver-class>
| <user-name>ex</user-name>
| <password>_______</password>
| <min-pool-size>5</min-pool-size>
| <max-pool-size>20</max-pool-size>
| <metadata>
| <type-mapping>PostgreSQL 7.2</type-mapping>
| </metadata>
| </local-tx-datasource>
| </datasources>
|
make sure you enter the correct driver, connection string etc. Now open login-config.xml in the server's conf/ directory. you need to define a security domain here. add this to the file:
| <application-policy name = "exampleDomain">
| <authentication>
| <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| <module-option name = "dsJndiName">java:/exampleDS</module-option>
| <module-option name = "principalsQuery">SELECT PASSWD FROM USERS WHERE USERID=?</module-option>
| <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM ROLES WHERE USERID=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
note the definition "exampleDomain" and how the dsJndiName is set to java:/exampleDS. exampleDS comes from the database connection definition above! the two queries in this file mean the following: the principalsQuery should return the password of the user where userid is the name the user entered in the login form. The rolesQuery must return all roles associated with the username. So it's time to create two tables in your database, with at least this info:
| table USERS
| +-------------------------------------+
| | userid | passwd |
| +-------------------------------------+
| | test | secret |
| +-------------------------------------+
|
| table ROLES
| +-------------------------------------+
| | userid | roleid |
| +-------------------------------------+
| | test | admin |
| | test | manager |
| +-------------------------------------+
|
(don't mind the ascii art)
we've created a user "test" with the password "secret" and the roles "admin" and "manager".
time to secure the web application, open up jboss-web.xml (from the WEB-INF directory) and put this in it:
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-web>
| <security-domain>java:/jaas/exampleDomain</security-domain>
| <context-root>/example</context-root>
| </jboss-web>
|
this sets the security domain for the web application to "exampleDomain" wich is declared in the login-config.xml above! jboss now knows wich login module configuration applies to this application.
now edit web.xml (also in the WEB-INF directory) and add this:
| <security-constraint>
| <display-name>manager</display-name>
| <web-resource-collection>
| <web-resource-name>manager_pages</web-resource-name>
| <description/>
| <url-pattern>/manager/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description/>
| <role-name>manager</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description/>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
| <security-constraint>
| <display-name>admin</display-name>
| <web-resource-collection>
| <web-resource-name>admin_pages</web-resource-name>
| <description/>
| <url-pattern>/admin/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description/>
| <role-name>admin</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description/>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>example</realm-name>
| <form-login-config>
| <form-login-page>/login.html</form-login-page>
| <form-error-page>/login_error.html</form-error-page>
| </form-login-config>
| </login-config>
|
| <security-role>
| <description/>
| <role-name>admin</role-name>
| </security-role>
| <security-role>
| <description/>
| <role-name>manager</role-name>
| </security-role>
|
this defines two security constraints: one for everything behind /manager (where only users with the "manager" role are allowed) and one for admins, everything behind /admin.
the login pages (login.html and login-error.html) should look like this:
| <html>
| <body>
| <form action="j_security_check" method="post">
| <input type="text" name="j_username"><br>
| <input type="password" name="j_password"><br>
| <input type="submit" value="login">
| </form>
| </body>
| </html>
|
hope this helps!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018900#4018900
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018900
More information about the jboss-user
mailing list