[jboss-user] [Security & JAAS/JBoss] - Re: JBoss4.0 and JAAS/Login-config.xml
eschulma
do-not-reply at jboss.com
Tue Jan 23 14:09:09 EST 2007
I have the identical problem with JBoss 4.0.4, and I do have the correct DTD. The only way I can get JBoss to see my application policy is if I call it jboss.web in login-config.xml -- I noticed that I get a message
[JAASRealm] Set JAAS app name jboss.web
every time I start my app.
Trying to do things the "right" way, I have for my login-config.xml:
| <?xml version='1.0'?>
| <!DOCTYPE policy PUBLIC
| "-//JBoss//DTD JBOSS Security Config 3.0//EN"
| "http://www.jboss.org/j2ee/dtd/security_config.dtd">
|
| <!-- The XML based JAAS login configuration read by the
| org.jboss.security.auth.login.XMLLoginConfig mbean. Add
| an application-policy element for each security domain.
|
| The outline of the application-policy is:
| <application-policy name="security-domain-name">
| <authentication>
| <login-module code="login.module1.class.name" flag="control_flag">
| <module-option name = "option1-name">option1-value</module-option>
| <module-option name = "option2-name">option2-value</module-option>
| ...
| </login-module>
|
| <login-module code="login.module2.class.name" flag="control_flag">
| ...
| </login-module>
| ...
| </authentication>
| </application-policy>
|
| -->
|
| <policy>
| <!-- Used by clients within the application server VM such as
| mbeans and servlets that access EJBs.
| -->
| <application-policy name = "client-login">
| <authentication>
| <login-module code = "org.jboss.security.ClientLoginModule"
| flag = "required">
| <!-- Any existing security context will be restored on logout -->
| <module-option name="restore-login-identity">true</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- Security domain for JBossMQ -->
| <application-policy name = "jbossmq">
| <authentication>
| <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag = "required">
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| <module-option name = "dsJndiName">java:/DefaultDS</module-option>
| <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
| <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- Security domain for JBossMQ when using file-state-service.xml
| <application-policy name = "jbossmq">
| <authentication>
| <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
| flag = "required">
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
| </login-module>
| </authentication>
| </application-policy>
| -->
|
| <!-- Security domains for testing new jca framework -->
| <application-policy name = "HsqlDbRealm">
| <authentication>
| <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
| flag = "required">
| <module-option name = "principal">sa</module-option>
| <module-option name = "userName">sa</module-option>
| <module-option name = "password"></module-option>
| <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <application-policy name = "JmsXARealm">
| <authentication>
| <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
| flag = "required">
| <module-option name = "principal">guest</module-option>
| <module-option name = "userName">guest</module-option>
| <module-option name = "password">guest</module-option>
| <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the jmx-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name = "jmx-console">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
| <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the web-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name = "$webConsoleDomain">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option name="usersProperties">web-console-users.properties</module-option>
| <module-option name="rolesProperties">web-console-roles.properties</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the JBossWS web application (and transport layer!).
| This defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name="JBossWS">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag="required">
| <module-option name="usersProperties">props/jbossws-users.properties</module-option>
| <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
| <module-option name="unauthenticatedIdentity">anonymous</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- The default login configuration used by any security domain that
| does not have a application-policy entry with a matching name
| -->
| <application-policy name = "other">
| <!-- A simple server login module, which can be used when the number
| of users is relatively small. It uses two properties files:
| users.properties, which holds users (key) and their password (value).
| roles.properties, which holds users (key) and a comma-separated list of
| their roles (value).
| The unauthenticatedIdentity property defines the name of the principal
| that will be used when a null username and password are presented as is
| the case for an unuathenticated web client or MDB. If you want to
| allow such users to be authenticated add the property, e.g.,
| unauthenticatedIdentity="nobody"
| -->
| <authentication>
| <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required" />
| </authentication>
| </application-policy>
|
| <!-- Security domain for WebApp. It must be called jboss.web until I figure this out... -->
| <application-policy name = "webappDomain">
| <authentication>
| <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag = "required">
| <module-option name = "dsJndiName">java:jdbc/web</module-option>
| <module-option name = "principalsQuery">select password from Users where username=?</module-option>
| <module-option name = "rolesQuery">select Role, 'Roles' from Roles where username=?</module-option>
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| </login-module>
| </authentication>
| </application-policy>
| </policy>
|
where webappDomain is the one I'm interested in.
I notice that most of the application policies here are not bound into JNDI java:jaas (as shown by JNDIView) the way I would expect. In fact, the only ones I see are HsqlDbRealm, jbossmq, JmsXARealm, and (strangely) a java:jaas *under* the jaas branch.
For completeness, here is jboss-web.xml as well:
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-web>
| <security-domain>java:jaas/webappDomain</security-domain>
| <context-root>/web</context-root>
| <!-- Setup by JBoss container instead.
| <resource-ref>
| <res-ref-name>jdbc/web</res-ref-name>
| <res-type>javax.sql.DataSource</res-type>
| <jndi-name>java:jdbc/web</jndi-name>
| </resource-ref>
| -->
| </jboss-web>
|
I have also tried editing jboss.xml, though I am not actually using this for EJBs yet. I package everything in an EAR.
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss>
| <security-domain>java:jaas/webappDomain</security-domain>
|
| <!-- Sets default container configuration for all entity beans -->
| <container-configurations>
| <container-configuration>
| <!--
| <container-name>Standard CMP 2.x EntityBean</container-name>
| -->
| <container-name>Standard CMP 2.x EntityBean with cache invalidation</container-name>
| <!-- Commit option A is already present for certain container configs -->
| <commit-option>A</commit-option>
| <!-- There are issues with cache invalidation and custom primary key classes. -->
| <cache-invalidation>true</cache-invalidation>
| <cache-invalidation-config>
| <invalidation-group-name>webGroup</invalidation-group-name>
| </cache-invalidation-config>
| </container-configuration>
| </container-configurations>
|
| <enterprise-beans>
| <entity>
| <ejb-name>AccountCategoryPricing</ejb-name>
| <read-only>True</read-only>
| </entity>
| <entity>
| <ejb-name>ProductData</ejb-name>
| <read-only>True</read-only>
| </entity>
| </enterprise-beans>
| </jboss>
|
Any help would be appreciated.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4005441#4005441
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4005441
More information about the jboss-user
mailing list