[jboss-user] [Security & JAAS/JBoss] - Re: Is there a tutorial on form-based login using JAAS on JB
smeaggie
do-not-reply at jboss.com
Tue Feb 20 03:22:32 EST 2007
yes there is, I just posted this one somewhere else around here too, it uses a database as username/password storage:
1) setup the connection to the database. put a "database-ds.xml" file in the deploy directory wich contains something like:
| <datasources>
| <local-tx-datasource>
| <jndi-name>exampleDS</jndi-name>
| <connection-url>jdbc:postgresql://127.0.0.1:5432/example</connection-url>
| <driver-class>org.postgresql.Driver</driver-class>
| <user-name>ex</user-name>
| <password>_______</password>
| <min-pool-size>5</min-pool-size>
| <max-pool-size>20</max-pool-size>
| <metadata>
| <type-mapping>PostgreSQL 7.2</type-mapping>
| </metadata>
| </local-tx-datasource>
| </datasources>
|
make sure you enter the correct driver, connection string etc. Now open login-config.xml in the server's conf/ directory. you need to define a security domain here. add this to the file:
| <application-policy name = "exampleDomain">
| <authentication>
| <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| <module-option name = "dsJndiName">java:/exampleDS</module-option>
| <module-option name = "principalsQuery">SELECT PASSWD FROM USERS WHERE USERID=?</module-option>
| <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM ROLES WHERE USERID=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
note the definition "exampleDomain" and how the dsJndiName is set to java:/exampleDS. exampleDS comes from the database connection definition above! the two queries in this file mean the following: the principalsQuery should return the password of the user where userid is the name the user entered in the login form. The rolesQuery must return all roles associated with the username. So it's time to create two tables in your database, with at least this info:
| table USERS
| +-------------------------------------+
| | userid | passwd |
| +-------------------------------------+
| | test | secret |
| +-------------------------------------+
|
| table ROLES
| +-------------------------------------+
| | userid | roleid |
| +-------------------------------------+
| | test | admin |
| | test | manager |
| +-------------------------------------+
|
(don't mind the ascii art)
we've created a user "test" with the password "secret" and the roles "admin" and "manager".
time to secure the web application, open up jboss-web.xml (from the WEB-INF directory) and put this in it:
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-web>
| <security-domain>java:/jaas/exampleDomain</security-domain>
| <context-root>/example</context-root>
| </jboss-web>
|
this sets the security domain for the web application to "exampleDomain" wich is declared in the login-config.xml above! jboss now knows wich login module configuration applies to this application.
now edit web.xml (also in the WEB-INF directory) and add this:
| <security-constraint>
| <display-name>manager</display-name>
| <web-resource-collection>
| <web-resource-name>manager_pages</web-resource-name>
| <description/>
| <url-pattern>/manager/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description/>
| <role-name>manager</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description/>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
| <security-constraint>
| <display-name>admin</display-name>
| <web-resource-collection>
| <web-resource-name>admin_pages</web-resource-name>
| <description/>
| <url-pattern>/admin/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description/>
| <role-name>admin</role-name>
| </auth-constraint>
| <user-data-constraint>
| <description/>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>example</realm-name>
| <form-login-config>
| <form-login-page>/login.html</form-login-page>
| <form-error-page>/login_error.html</form-error-page>
| </form-login-config>
| </login-config>
|
| <security-role>
| <description/>
| <role-name>admin</role-name>
| </security-role>
| <security-role>
| <description/>
| <role-name>manager</role-name>
| </security-role>
|
this defines two security constraints: one for everything behind /manager (where only users with the "manager" role are allowed) and one for admins, everything behind /admin.
the login pages (login.html and login-error.html) should look like this:
| <html>
| <body>
| <form action="j_security_check" method="post">
| <input type="text" name="j_username"><br>
| <input type="password" name="j_password"><br>
| <input type="submit" value="login">
| </form>
| </body>
| </html>
|
hope this helps!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4019228#4019228
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4019228
More information about the jboss-user
mailing list