[jboss-user] [Security & JAAS/JBoss] - JAAS newbie - missing something that should be obvious

Fri Dec 1 14:42:12 EST 2006

I'm using jboss-4.0.5.GA installed with the ejb3 "flavor". I'm using the default install.

Playing around with securing some web content. I created a login.html page for now that has the proper fields: j_username & j_password. Its post action references j_security_check.

jboss-web.xml:

  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-web>
  | 	<security-domain>java:/jaas/SPDB</security-domain>
  | </jboss-web>
  | 

web.xml:

  | <web-app>
  | 	<security-constraint>
  | 		<web-resource-collection>
  | 			<web-resource-name>All resources</web-resource-name>
  | 			<description>Protects all resources</description>
  | 			<url-pattern>/*</url-pattern>
  | 
  | 
  | 		</web-resource-collection>
  | 		<auth-constraint>
  | 			<role-name>MyUser</role-name>
  | 		</auth-constraint>
  | 	</security-constraint>
  |    
  | 	<security-role>
  | 		<description>My User Role</description>
  | 		<role-name>MyUser</role-name>
  | 	</security-role>
  | 	
  | 	<login-config>
  | 		<auth-method>FORM</auth-method>
  | 		<realm-name>SPDB</realm-name>
  | 		<form-login-config>
  | 			<form-login-page>/login.html</form-login-page>
  | 			<form-error-page>/error.html</form-error-page>
  | 		</form-login-config>
  | 	</login-config>
  | </web-app>
  | 

I've copied one of the other application-policy sections from login-config.xml trying to get some sort of response out of JBoss in the log files. This is what I've added in to login-config.xml right now (in $JBOSS_HOME/server/default/conf):

  |     <application-policy name = "SPDB">
  |        <authentication>
  |           <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
  |              flag = "required">
  |              <module-option name = "unauthenticatedIdentity">guest</module-option>
  |              <module-option name = "dsJndiName">java:/polarDS</module-option>
  |              <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
  |              <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 

Here is what happens: when I hit the URL of a secured jsp page, the login page comes up as it should. When I type in the user name, pw and hit "login", I immediately get the error page.

The JBoss console and log files don't even show a single message when I press "login" - let alone showing an entry that anything went wrong..

In fact, the startup logs don't even mention the new application-policy (called "SPDB"); they should - shouldn't they?

I'm left thinking that perhaps JAAS isn't even turned on. Being a newbie, I've poured through the documentation and can't find anything on "turning on" JAAS security - it appears to be turned on by default (am I wrong there?).

I expect I'm missing something simple, and I would appreciate any pointers that you can provide...

Thanks

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3990542#3990542

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3990542