[jboss-user] [Security & JAAS/JBoss] - Problem with JAAS and Declarative Security on JBOSS 4.2.1 GA

fakhreldeen do-not-reply at jboss.com
Mon May 5 06:33:24 EDT 2008


I am trying to implement an integration between Declarative Security and JAAS on JBOSS 4.2.1 GA. I have specified in my web.xml file that all jsp files under the directory called "security" are protected and only accessible by the role "Admin". I also specified in the web.xml file that Authentication is done by Login FORM. I then created a configuration for the DatabaseSeverLoginModule in login-config.xml, and created a servlet that uses the LoginContext to authorize the user. The Login page's form's action points to this servlet rather than j_security_check. However, it doesn't seem to work, because I can't access the secure pages, even though I enter the correct username and password. Here are my files:


  | <servlet>
  | <servlet-name>loginservlet</servlet-name>
  | <servlet-class>loginservlet</servlet-class>
  | </servlet>
  | <servlet-mapping>
  | <servlet-name>loginservlet</servlet-name>
  | <url-pattern>/loginservlet</url-pattern>
  | </servlet-mapping>
  | <session-config>
  | <session-timeout>
  | 30
  | </session-timeout>
  | </session-config>
  | <welcome-file-list>
  | <welcome-file>index.jsp</welcome-file>
  | </welcome-file-list>
  | <security-constraint>
  | <display-name>Constraint1</display-name>
  | <web-resource-collection>
  | <web-resource-name>Secure Pages</web-resource-name>
  | <description>Secure Pages</description>
  | <url-pattern>/security/*</url-pattern>
  | <http-method>GET</http-method>
  | <http-method>POST</http-method>
  | <http-method>HEAD</http-method>
  | <http-method>PUT</http-method>
  | <http-method>OPTIONS</http-method>
  | <http-method>TRACE</http-method>
  | <http-method>DELETE</http-method>
  | </web-resource-collection>
  | <auth-constraint>
  | <description>Admin</description>
  | <role-name>Admin</role-name>
  | </auth-constraint>
  | </security-constraint>
  | <login-config>
  | <auth-method>FORM</auth-method>
  | <realm-name>Test Realm</realm-name>
  | <form-login-config>
  | <form-login-page>/Login.jsp</form-login-page>
  | <form-error-page>/Error.jsp</form-error-page>
  | </form-login-config>
  | </login-config>
  | <security-role>
  | <description>Admin User
  | </description>
  | <role-name>Admin</role-name>
  | </security-role>
  | </web-app>


<application-policy name = "testDB">
  | <authentication>
  | <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
  | flag = "required">
  | <module-option name = "unauthenticatedIdentity">guest</module-option>
  | <module-option name = "dsJndiName">java:/testDB</module-option>
  | <module-option name = "principalsQuery">SELECT password from Principals where PrincipalID =?</module-option>
  | <module-option name = "rolesQuery">SELECT Role, Rolegroup FROM roles WHERE principalid=?</module-option>
  | </login-module>
  | </authentication>
  | </application-policy>


  | <security-domain>java:/jaas/testDB</security-domain>
  | <context-root>/testJBOSSsecurity</context-root>
  | </jboss-web>


<FORM name="logonForm" action="loginservlet" METHOD="POST">
  | <TABLE width="100%" border="0" cellspacing="0" cellpadding=
  | "1" bgcolor="white">
  | <TABLE width="100%" border="0" cellspacing=
  | "0" cellpadding="5">
  | <TR align="center">
  | <TD align="right" class="Prompt"></TD>
  | <TD align="left">
  | <INPUT type="text" name="j_username" maxlength=20>
  | </TD>
  | </TR>
  | <TR align="center">
  | <TD align="right" class="Prompt"> </TD>
  | <TD align="left">
  | <INPUT type="password"
  | name="j_password" maxlength=20 >
  | <BR>
  | <TR align="center">
  | <TD align="right" class="Prompt"> </TD>
  | <TD align="left">
  | <input type="submit" value="Login">


try {
  | SecurityAssociationHandler handler = new
  | SecurityAssociationHandler();
  | Principal user = new SimplePrincipal(request.getParameter("j_username"));
  | handler.setSecurityInfo(user, request.getParameter("j_password"));
  | LoginContext loginContext = new LoginContext("testDB",(CallbackHandler)handler);
  | loginContext.login();
  | Subject subject = loginContext.getSubject();
  | Set principals = subject.getPrincipals();
  | principals.add(user);
  | out.println(subject.toString());
  | //response.sendRedirect("securepage.java");
  | }

So, those are my files.....In the database, I have two tables, one table called Principals and that has the username semsem and password password1, and the other table is called roles, which has principleid = semsem, role = Admin, and rolegroup = AdminGroup. What I am trying to do, is integrate JAAS and Declarative Security, so that I don't have to programatically declare which pages are accessed by which type of user. However, When I reach the Login Form and enter the correct username and password, nothing happens, which means that after I enter the correct username and password, I am presented with the login form again....I can verify that the servlet code is correct, because I can directly visit the login page with out trying to access it by requesting a secure page, and I enter the correct username and password, and I get a print line of the subject's principals as they are in the database from the line out.println(subject.toString());, that print out is: Subject: Principal: semsem Principal: Admin(members:Admin)

Your help is very appreciated
Thank You


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4148602#4148602

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4148602

More information about the jboss-user mailing list