[jboss-dev-forums] [JBoss Web Development] - Authorization issue while implementing login module with DatabaseServerLoginModule

Thu Feb 10 04:37:17 EST 2011

sidd deo [http://community.jboss.org/people/c-ddhesh] created the discussion

"Authorization issue while implementing login module with DatabaseServerLoginModule"

To view the discussion, visit: http://community.jboss.org/message/586633#586633

--------------------------------------------------------------
Hi all
 I am new to jboss. I am trying to implement form based authentication using DatabaseServerLoginModule using jboss (http://www.coderanch.com/forums/f-63/JBoss) 6.0
 By referring guides and several tutorials I implemented and configured it. My application is working till authentication phase.
 Authorization fails giving following errors in logs. Here are my logs

11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Obtained user password
11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction
11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User'sidd' authenticated, loginOk=true
11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] getRoleSets 
using rolesQuery: SELECT Role, RoleGroup FROM Roles WHERE PrincipalID=?,username: sidd
11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction
11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: 
SELECT Role, RoleGroup FROM Roles WHERE PrincipalID=?, with username: sidd
11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role WebAppUser
11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction
11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-web] defaultLogin, 
lc=javax.security.auth.login.LoginContext at 1b7a59c, subject=Sub
ject(21185284).principals=org.jboss.security.SimplePrincipal at 15004845(sidd)org.j
boss.security.SimpleGroup at 24878804(WebAppUser(members:WebAppUser))
11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w
eb] updateCache, inputSubject=Subject(21185284).principals=org.jboss.security.Si
mplePrincipal at 15004845(sidd)org.jboss.security.SimpleGroup at 24878804(WebAppUser(m
embers:WebAppUser)), cacheSubject=Subject(16292112).principals=org.jboss.securit
y.SimplePrincipal at 15004845(sidd)org.jboss.security.SimpleGroup at 24878804(WebAppUs
er(members:WebAppUser))
11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w
eb] Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase
$DomainInfo at 10908b5[Subject(16292112).principals=org.jboss.security.SimplePrinci
pal at 15004845(sidd)org.jboss.security.SimpleGroup at 24878804(WebAppUser(members:Web
AppUser)),credential.class=java.lang.String at 13809944,expirationTime=129731868574
1]
11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w
eb] End isValid, true
11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w
eb] getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManage
rBase$DomainInfo at 10908b5[Subject(16292112).principals=org.jboss.security.SimpleP
rincipal at 15004845(sidd)org.jboss.security.SimpleGroup at 24878804(WebAppUser(member
s:WebAppUser)),credential.class=java.lang.String at 13809944,expirationTime=1297318
685741]
11:18:53,272 TRACE [org.jboss.security.SecurityRolesAssociation] Setting threadl
ocal:null
11:18:53,272 TRACE [org.jboss.security.SecurityRolesAssociation] Setting threadl
ocal:{}
11:18:53,272 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationC
ontext] Control flag for entry:org.jboss.security.authorization.config.Authoriza
tionModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorization
Module:{}REQUIRED}is:[REQUIRED]
11:18:53,287 TRACE [org.jboss.security.SecurityRolesAssociation] Setting threadl
ocal:null

Here is my Databse called book having following structure

  CREATE TABLE IF NOT EXISTS Principals (
    PrincipalID varchar(30) NOT NULL PRIMARY KEY,
    Password varchar(50) NOT NULL
  ) ENGINE=INNODB;

  CREATE TABLE IF NOT EXISTS Roles (
    PrincipalID varchar(30) NOT NULL,
    INDEX (PrincipalID),
    Role varchar(50) NOT NULL,
    RoleGroup varchar(50) NULL,
    PRIMARY KEY(PrincipalID, Role),
    CONSTRAINT Roles_Principal_FK FOREIGN KEY (PrincipalID)
      REFERENCES Principals (PrincipalID) ON DELETE CASCADE
  ) ENGINE=INNODB;

values of "PrincipalID" and "Password" are  "sidd"  and "pass".
 values "PrincipalID"  "Role"  "RoleGroup" are "sidd" "WebAppUser" "WebAppUser"

 My web.xml is as follows

<?xml version="1.0"?>
<web-app>
    <description>A test app for security</description>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All resources</web-resource-name>
            <description>Protects all resources</description>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WebAppUser</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>WebAppUser</role-name>
    </security-role>

    <login-config>
        <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/login.html</form-login-page>
                <form-error-page>/errors.html</form-error-page>
            </form-login-config>
    </login-config>
</web-app>

 login-config.xml has following entry

    <application-policy name="my-web">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                          flag="required">
                <module-option name="dsJndiName">java:/MySqlDS</module-option>
                <module-option name="principalsQuery">SELECT Password FROM Principals WHERE PrincipalID=?</module-option> 
                <module-option name="rolesQuery">SELECT Role, RoleGroup FROM Roles WHERE PrincipalID=?</module-option> 
            </login-module>
        </authentication>
      <authorization>
         <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
      </authorization>
   </application-policy>

jboss-web.xml has following text

<?xml version='1.0' encoding='UTF-8' ?>
<jboss-web>
  <security-domain>java:/jaas/my-web</security-domain>
</jboss-web>

Even if I remove 
       <authorization>
          <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
       </authorization>
 from login-config.xml, I get the same error.

 As per the logs, user "sidd" is getting authenticated successfully. But on GUI i see 

 HTTP Status 403 - Access to the requested resource has been denied
 type Status report
 message Access to the requested resource has been denied
 description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

 Am i missing on any flag or any configuration ?
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/586633#586633]

Start a new discussion in JBoss Web Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2112]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20110210/3b57d497/attachment.html 