[jboss-user] [Security & JAAS/JBoss] - Why JAAS authenticate() fails?

benccit do-not-reply at jboss.com
Fri Nov 3 13:54:32 EST 2006


I am trying to restrict web access on certain web pages.  I checked the FAQ, but I couldn't find any clue. I am hoping you can point me in the right direction.

I am having difficulty to configure secured web pages which requires users to login before they can view the content.

I am using the jbossweb-tomcat55.sar/ROOT.war of version JBoss-4.0.3SP1 to host forum and some static web pages. Without the requirement of secured access, the website runs fine. I was then asked to add a login prompt when the first time any user wants to access anything on the application. The login prompt should include user name and password. 

I thought that requirement was a piece of cake. So I performed the following steps:

A.  I create a security domain, transportation-security, in login-config.xml as follows:

    <application-policy name = "transportation-security">
       
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
           <module-option name="usersProperties">props/transportation-security-users.properties</module-option>
           <module-option name="rolesProperties">props/transportation-security-roles.properties</module-option>  
          </login-module>
       
    </application-policy>


B.  I then create a testing file, transportation-security-users.properties in the conf/props as follows:

joe1=pass1

and a testing file transportation-security-roles.properties in the conf/props as follows:
joe1=administrator

C. For the web.xml, in ROOT.war/WEB-INF, I added the following security related page to web.xml:

  <security-role>
    <role-name>administrator</role-name>
  </security-role>
  <security-role>
    <role-name>moderator</role-name>
  </security-role>
  <security-role>
    <role-name>user</role-name>
  </security-role>

  <security-constraint>
      <web-resource-collection>
         <web-resource-name>Restricted Area</web-resource-name>
         <url-pattern>/About_us/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
      </web-resource-collection>

      <auth-constraint>
         <role-name>administrator</role-name>
         <role-name>moderator</role-name>
         <role-name>user</role-name>
      </auth-constraint>
   </security-constraint>

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>transportation-security</realm-name>
   </login-config>


D. I also created jboss-web.xml in the jbossweb-tomcat55.sar/ROOT.war/WEB-INF as follows:

<jboss-web>
   <security-domain>java:/jaas/transportation-security</security-domain>
</jboss-web>

I then re-started the JBoss, and use web browser to test the URL /ABout_us. There was a window pop-up with title "transportation-security" with two entry fields: user name; password.  I entered joe1 and pass1 respectively.  But the same window was re-display with empty entry fields.

I shut down the JBoss, set the log4j to DEBUG level and re-tested. I noticed that the error message in the log indicated that the authenticate() failed.

Does anyone know what went wrong? Why the files in props weren't used?

By the way, do you know how to customize the login prompt and error page if login fails?

Thanks,

Bensen





View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983065#3983065

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983065



More information about the jboss-user mailing list