[jboss-user] [Security & JAAS/JBoss] - re: securing virtual directories

adastar do-not-reply at jboss.com
Mon Mar 24 16:58:57 EDT 2008


We have a security realm that we use throughout our EAR.  


  |     <application-policy name="mySecurityRealm">
  | 
  |                 <authentication> 
  |                                 <login-module code="com.myclass.MyLoginModule"  flag="required"> 
  |                                                 <module-option name="unauthenticated">guest</module-option>
  |                                                 <module-option name="dsJndiName">java:/myDataSource</module-option>
  |                                                 <module-option name="hashUserPassword">false</module-option>
  |                                                 <module-option name="hashStorePassword">false</module-option>
  |                                                 <module-option name="principalsQuery"> 
  |                                                 ...commented out...</module-option>
  | 
  |                                                 <module-option name="rolesQuery"> 
  |                                                 ...commented out...</module-option>
  |                                 </login-module> 
  |                 </authentication>
  | 
  | </application-policy>
  | 

I read the following:

http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

Scroll down until you see "Realm" under "Nested Elements".  It seems as though you can specify a JAAS Realm:

http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html

So I did:


  |        <Host name="localhost"
  |            autoDeploy="false" deployOnStartup="false" deployXML="false"
  |            configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"
  |            >
  | 
  |                   <Realm className="org.apache.catalina.realm.JAASRealm"
  |                      appName="mySecurityRealm"
  |                      userClassNames="org.jboss.security.SimplePrincipal"
  |                      roleClassNames="org.jboss.security.SimpleGroup"
  |                      debug="99"/>
  | 

And I defined my virtual directory:


  |                    <Context path="/Reports" docBase="Reports" debug="0" reloadable="true" />
  | 

But the security isn't working.  So I defined the web.xml file under Reports/WEB-INF:          


  | <security-constraint>
  |   <web-resource-collection>
  |    <web-resource-name>xxx</web-resource-name>
  |    <url-pattern>/Reports/*</url-pattern>
  |    <http-method>POST</http-method>
  |    <http-method>GET</http-method>
  |   </web-resource-collection>
  |   <auth-constraint>
  |    <role-name>Roles</role-name>
  |   </auth-constraint>
  |   <user-data-constraint>
  |    <transport-guarantee>NONE</transport-guarantee>
  |   </user-data-constraint>
  |  </security-constraint>
  |  <login-config>
  |   <auth-method>FORM</auth-method>
  |   <realm-name>mySecurityRealm</realm-name>
  |   <form-login-config>
  |    <form-login-page>/login.jsp</form-login-page>
  |    <form-error-page>/loginerror.html</form-error-page>
  |   </form-login-config>
  |  </login-config>
  |  <security-role>
  | 

and even put in a jboss-web.xml file:


  | <?xml version="1.0" encoding="UTF-8"?>
  | 
  | <jboss-web>
  |    <security-domain>java:/jaas/mySecurityRealm</security-domain>
  | </jboss-web>
  | 

Still no luck! Any ideas?



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138592#4138592

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4138592



More information about the jboss-user mailing list