[JBoss-dev] Problem with JAAS and Declarative Security on JBOSS 4.2.1 GA

fakhreldeen sameh.hammamy at yahoo.com
Sun May 4 10:57:17 EDT 2008 

Hello,

I am trying to implement an integration between Declarative Security and
JAAS.  I have specified in my web.xml file that all jsp files under the
directory called "security" are protected and only accessible by the role
"Admin".  I also specified in the web.xml file that Authentication is done
by Login FORM.  I then created a configuration for the
DatabaseSeverLoginModule in login-config.xml, and created a servlet that
uses the LoginContext to authorize the user.  The Login page's form's action
points to this servlet rather than j_security_check.  However, it doesn't
seem to work, because I can't access the secure pages, even though I enter
the correct username and password.  Here are my files:

*****web.xml*****


    
        loginservlet
        loginservlet
    
    
        loginservlet
        /loginservlet
    
    
        
            30
        
    
    
        index.jsp
        
    
        Constraint1
        
            Secure Pages
            Secure Pages
            /security/*
            GET
            POST
            HEAD
            PUT
            OPTIONS
            TRACE
            DELETE
        
        
            Admin
            Admin
            
        
    
        FORM
        Test Realm
        
            /Login.jsp
            /Error.jsp
            
        
    
        Admin User

        Admin
    
    

*****login-conf.xml*****


          
    
       guest
       java:/testDB
       SELECT password from Principals where PrincipalID =?
       SELECT Role, Rolegroup FROM roles WHERE principalid=?
    
       
    

****jboss-web.xml****


  java:/jaas/testDB
  /testJBOSSsecurity


****Login.jsp*****











 




 



****loginservlet.java*****

try {
                SecurityAssociationHandler handler = new
                SecurityAssociationHandler();
                Principal user = new
SimplePrincipal(request.getParameter("j_username"));
                handler.setSecurityInfo(user,
request.getParameter("j_password"));
                LoginContext loginContext = new
LoginContext("testDB",(CallbackHandler)handler);
                loginContext.login();
                Subject subject = loginContext.getSubject();
                Set principals = subject.getPrincipals();
                principals.add(user);
                out.println(subject.toString());
                //response.sendRedirect("securepage.java");
}

So, those are my files.....What I am trying to do, is integrate JAAS and
Declarative Security, so that I don't have to programatically declare which
pages are accessed by which type of user.  However, When I reach the Login
Form and enter the correct username and password, nothing happens....I can
verify that the servlet code is correct, because I can directly visit the
login page with out trying to access it by requesting a secure page, and I
enter the correct username and password, and I get a print line of the
subject's principals as they are in the database from the line
out.println(subject.toString());

Your help is very appreciated
Thank You

Sam
-- 
View this message in context: http://www.nabble.com/Problem-with-JAAS-and-Declarative-Security-on-JBOSS-4.2.1-GA-tp17047330p17047330.html
Sent from the JBoss - Dev mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-development/attachments/20080504/1ea90287/attachment.html

More information about the jboss-development mailing list