[jboss-user] [Security & JAAS/JBoss] - combination of JAAS
zilbi
do-not-reply at jboss.com
Sun Mar 9 14:04:44 EDT 2008
Hi Guys,
am trying to develop a website with the regular login feature and also to enable programmatic login to be used by affiliates via API.
working with "jboss-4.2.2.GA" i got the first part (using the FORM login) done fast enough. but i cannot complete the second part...
:(
also added a simple LoginServlet; trying to login to this servlet works.
but after that, when i try access a resource that is under the protected area i get redirection to the login.jsp page!
why? didn't i just login with the servlet?
what am i missing?
here is my code below...
thanks!
my login-config.xml:
<application-policy name="jinni">
| <authentication>
|
| <login-module code="org.jboss.security.ClientLoginModule" flag="required">
| <module-option name="restore-login-identity">true</module-option>
| <module-option name="multi-threaded">true</module-option>
| </login-module>
|
| <login-module code="com.jinni.security.LoginModule" flag="required">
|
| <module-option name="managedConnectionFactoryName">
| jboss.jca:service=LocalTxCM,name=JinniDatasource
| </module-option>
|
| <module-option name="dsJndiName">
| java:/JinniDatasource
| </module-option>
|
| <module-option name="principalsQuery">
| select password from users where user_name =?
| </module-option>
|
| <module-option name="rolesQuery">
| select roles.name as 'Roles', 'Roles' as 'RoleGroups' from users, security_profile_roles, roles
| where roles.id = security_profile_roles.role_id
| and security_profile_roles.security_profile_id = users.security_profile_id
| and users.user_name =?
| </module-option>
|
| <module-option name="restore-login-identity">true</module-option>
| <module-option name="multi-threaded">true</module-option>
|
| </login-module>
|
| </authentication>
| </application-policy>
and my web.xml:
<security-constraint>
|
| <web-resource-collection>
| <web-resource-name>action</web-resource-name>
| <url-pattern>/protected/*</url-pattern>
| <http-method>HEAD</http-method>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>PUT</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
|
| <auth-constraint>
| <role-name>Echo</role-name>
| </auth-constraint>
|
| <user-data-constraint>
| <description>no description</description>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <form-login-config>
| <form-login-page>/login.jsp</form-login-page>
| <form-error-page>/error.jsp</form-error-page>
| </form-login-config>
| </login-config>
|
| <security-role>
| <description>A user allowed to invoke echo methods</description>
| <role-name>Echo</role-name>
| </security-role>
| <servlet>
the login.jsp:
<html >
| <head>
| <title></title>
| <!-- To prevent caching -->
| <%
| response.setHeader("Cache-Control","no-cache"); // HTTP 1.1
| response.setHeader("Pragma","no-cache"); // HTTP 1.0
| response.setDateHeader ("Expires", -1); // Prevents caching at the proxy server
| %>
| </head>
| <body>
| <form name="logonForm" action="j_security_check" method="post">
| <table width="100%" border="0" cellspacing="0" cellpadding="1" bgcolor="white">
| <tr align="center">
| <td align="right" class="Prompt"></TD>
| <td align="left">
| <input type="text" name="j_username" maxlength=20>
| </td>
| </tr>
| <tr align="center">
| <td align="right" class="Prompt"> </TD>
| <td align="left">
| <input type="password" name="j_password" maxlength=20 >
| </td>
| </tr>
| <tr align="center">
| <td align="right" class="Prompt"> </TD>
| <td align="left">
| <input type="submit" value="Login">
| </td>
| </tr>
| </table>
| </form>
| </body>
| </html>
the LoginServlet:
protected void doPost(HttpServletRequest req, HttpServletResponse response) throws ServletException, IOException
| {
| PrintWriter pw = response.getWriter();
| try {
| // Get the form's username & password fields
| //
| String user = req.getParameter("user");
| String pass = req.getParameter("pass");
|
| // is that needed???
| // could not hurt
| WebAuthentication webA = new WebAuthentication();
| boolean flag = webA.login(user, pass);
| pw.write("flag = " + flag);
| pw.write('\n');
|
|
| // Use the username/password to initialize the
| // callback handler and then do the authentication.
| PassiveCallbackHandler cbh = new PassiveCallbackHandler(user, pass);
| LoginContext lc = new LoginContext("jinni", cbh);
| lc.login();
|
| // Loop through all Principals and Credentials.
| //
| Iterator it = lc.getSubject().getPrincipals().iterator();
| while (it.hasNext())
| pw.write("Authenticated: " + it.next().toString() + "<br>");
|
| it = lc.getSubject().getPublicCredentials(Properties.class).iterator();
|
| while (it.hasNext())
| pw.write(it.next().toString());
|
| lc.logout();
| }
| catch(Exception E)
| {
| System.err.println(E);
| pw.write("An Error Has Occurred");
| pw.flush();
| }
| }
thanks again
:)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4135167#4135167
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4135167
More information about the jboss-user
mailing list