[jboss-user] [Security & JAAS/JBoss] - authentication with no authorization problem
BjPenn
do-not-reply at jboss.com
Tue Mar 17 07:32:07 EDT 2009
Well my problem is my application can authenticate but the authorization is not correct, cause i get the jsp page wich tells i cant acces to the jsp due to no having authorization. i am using jboss 5.0.1GA jdk6.So this is the steps i made:
1-First i changed my jboss-web.xml :
<?xml version="1.0" encoding="UTF-8" ?>
| - <jboss-web>
| <security-domain>java:/jaas/smsJAAS</security-domain>
| <context-root>/jtk_SENIC</context-root>
| </jboss-web>
2-i set another application-policy in the file /server/default/conf/login-config.xml:
<?xml version="1.0" ?>
| - <!-- The XML based JAAS login configuration read by the
| org.jboss.security.auth.login.XMLLoginConfig mbean. Add
| an application-policy element for each security domain.
|
| The outline of the application-policy is:
| <application-policy name="security-domain-name">
| <authentication>
| <login-module code="login.module1.class.name" flag="control_flag">
| <module-option name = "option1-name">option1-value</module-option>
| <module-option name = "option2-name">option2-value</module-option>
| ...
| </login-module>
|
| <login-module code="login.module2.class.name" flag="control_flag">
| ...
| </login-module>
| ...
| </authentication>
| </application-policy>
|
| $Id: login-config.xml 76444 2008-07-29 23:50:53Z sguilhen at redhat.com $
| $Revision: 76444 $
|
| -->
| - <policy>
| - <!-- Used by clients within the application server VM such as
| mbeans and servlets that access EJBs.
|
| -->
| - <application-policy name="smsJAAS">
| - <authentication>
| - <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
| <module-option name="unauthenticatedIdentity">guest</module-option>
| <module-option name="dsJndiName">java:/smsactjndi</module-option>
| <module-option name="principalsQuery">SELECT contrasena FROM usuarios_v WHERE nomusuario=?</module-option>
| <module-option name="rolesQuery">SELECT nomgrupous, 'Roles' FROM usuarios_v WHERE nomusuario=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
| - <application-policy name="client-login">
| - <authentication>
| - <login-module code="org.jboss.security.ClientLoginModule" flag="required">
| - <!-- Any existing security context will be restored on logout
| -->
| <module-option name="restore-login-identity">true</module-option>
| </login-module>
| </authentication>
| </application-policy>
| - <!-- Security domains for testing new jca framework
| -->
| - <application-policy name="HsqlDbRealm">
| - <authentication>
| - <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
| <module-option name="principal">sa</module-option>
| <module-option name="userName">sa</module-option>
| <module-option name="password" />
| <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
| </login-module>
| </authentication>
| </application-policy>
| - <application-policy name="JmsXARealm">
| - <authentication>
| - <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
| <module-option name="principal">guest</module-option>
| <module-option name="userName">guest</module-option>
| <module-option name="password">guest</module-option>
| <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
| </login-module>
| </authentication>
| </application-policy>
| - <!-- A template configuration for the jmx-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
|
| -->
| - <application-policy name="jmx-console">
| - <authentication>
| - <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
| <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
| <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
| </login-module>
| </authentication>
| </application-policy>
| - <!-- A template configuration for the web-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
|
| -->
| - <application-policy name="web-console">
| - <authentication>
| - <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
| <module-option name="usersProperties">web-console-users.properties</module-option>
| <module-option name="rolesProperties">web-console-roles.properties</module-option>
| </login-module>
| </authentication>
| </application-policy>
| - <!-- A template configuration for the JBossWS security domain.
| This defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
|
| -->
| - <application-policy name="JBossWS">
| - <authentication>
| - <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
| <module-option name="usersProperties">props/jbossws-users.properties</module-option>
| <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
| <module-option name="unauthenticatedIdentity">anonymous</module-option>
| </login-module>
| </authentication>
| </application-policy>
| - <!-- The default login configuration used by any security domain that
| does not have a application-policy entry with a matching name
|
| -->
| - <application-policy name="other">
| - <!-- A simple server login module, which can be used when the number
| of users is relatively small. It uses two properties files:
| users.properties, which holds users (key) and their password (value).
| roles.properties, which holds users (key) and a comma-separated list of
| their roles (value).
| The unauthenticatedIdentity property defines the name of the principal
| that will be used when a null username and password are presented as is
| the case for an unuathenticated web client or MDB. If you want to
| allow such users to be authenticated add the property, e.g.,
| unauthenticatedIdentity="nobody"
|
| -->
| - <authentication>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />
| </authentication>
| </application-policy>
| </policy>
3- configuring my web xml with security constraints:
<?xml version="1.0" encoding="UTF-8" ?>
| - <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
| - <!-- Nombre de la unidad de persistencia para JToolkitFW
| -->
| - <context-param>
| <param-name>com.sun.faces.verifyObjects</param-name>
| <param-value>false</param-value>
| </context-param>
| - <context-param>
| <param-name>com.sun.faces.validateXml</param-name>
| <param-value>true</param-value>
| </context-param>
| - <context-param>
| <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
| <param-value>client</param-value>
| </context-param>
| - <context-param>
| <param-name>com.sun.faces.verifyObjects</param-name>
| <param-value>false</param-value>
| </context-param>
| - <context-param>
| <param-name>com.sun.faces.validateXml</param-name>
| <param-value>true</param-value>
| </context-param>
| - <context-param>
| <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
| <param-value>client</param-value>
| </context-param>
| - <env-entry>
| <env-entry-name>jndi_pool</env-entry-name>
| <env-entry-type>java.lang.String</env-entry-type>
| <env-entry-value>jndi/smsact</env-entry-value>
| </env-entry>
| - <servlet>
| <servlet-name>Faces Servlet</servlet-name>
| <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
| <load-on-startup>1</load-on-startup>
| - <security-role-ref>
| <description />
| <role-name>suscriptores</role-name>
| <role-link>suscriptores</role-link>
| </security-role-ref>
| - <security-role-ref>
| <description />
| <role-name>promotores</role-name>
| <role-link>promotores</role-link>
| </security-role-ref>
| - <security-role-ref>
| <description />
| <role-name>mensajes</role-name>
| <role-link>mensajes</role-link>
| </security-role-ref>
| - <security-role-ref>
| <description />
| <role-name>categorias</role-name>
| <role-link>categorias</role-link>
| </security-role-ref>
| - <security-role-ref>
| <description />
| <role-name>envio_directo</role-name>
| <role-link>envio_directo</role-link>
| </security-role-ref>
| - <security-role-ref>
| <description />
| <role-name>perfiles</role-name>
| <role-link>perfiles</role-link>
| </security-role-ref>
| - <security-role-ref>
| <description>adming</description>
| <role-name>adming</role-name>
| <role-link>adming</role-link>
| </security-role-ref>
| </servlet>
| - <!-- #Security constraints
| -->
| - <error-page>
| <error-code>403</error-code>
| <location>/error/acceso_denegado.jsp</location>
| </error-page>
| - <security-constraint>
| <display-name>principal</display-name>
| - <web-resource-collection>
| <web-resource-name>principal</web-resource-name>
| <description />
| <url-pattern>/faces/principal.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <role-name>mensajes</role-name>
| <role-name>suscriptores</role-name>
| <role-name>promotores</role-name>
| <role-name>categorias</role-name>
| <role-name>envio_directo</role-name>
| <role-name>perfiles</role-name>
| <role-name>adming</role-name>
| </auth-constraint>
| </security-constraint>
| - <!-- #Roles
| -->
| - <security-constraint>
| <display-name>grabador de suscriptores</display-name>
| - <web-resource-collection>
| <web-resource-name>categ_susc</web-resource-name>
| <description />
| <url-pattern>/faces/categ_susc.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <web-resource-collection>
| <web-resource-name>suscriptores</web-resource-name>
| <description />
| <url-pattern>/faces/suscriptores.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <description />
| <role-name>suscriptores</role-name>
| </auth-constraint>
| </security-constraint>
| - <security-constraint>
| <display-name>grabador de mensajes</display-name>
| - <web-resource-collection>
| <web-resource-name>mensajes</web-resource-name>
| <description />
| <url-pattern>/faces/mensajes.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <description />
| <role-name>mensajes</role-name>
| </auth-constraint>
| </security-constraint>
| - <security-constraint>
| <display-name>envio directo</display-name>
| - <web-resource-collection>
| <web-resource-name>envio_directo</web-resource-name>
| <description />
| <url-pattern>/faces/envio_directo.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <description />
| <role-name>envio_directo</role-name>
| </auth-constraint>
| </security-constraint>
| - <security-constraint>
| <display-name>promotores</display-name>
| - <web-resource-collection>
| <web-resource-name>promotores</web-resource-name>
| <description />
| <url-pattern>/faces/promotores.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <description />
| <role-name>promotores</role-name>
| </auth-constraint>
| </security-constraint>
| - <security-constraint>
| <display-name>categorias</display-name>
| - <web-resource-collection>
| <web-resource-name>categorias</web-resource-name>
| <description />
| <url-pattern>/faces/categorias.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <description />
| <role-name>categorias</role-name>
| </auth-constraint>
| </security-constraint>
| - <security-constraint>
| <display-name>perfiles</display-name>
| - <web-resource-collection>
| <web-resource-name>perfiles</web-resource-name>
| <description />
| <url-pattern>/faces/grupos.jsp</url-pattern>
| <url-pattern>/faces/idiomas.jsp</url-pattern>
| <url-pattern>/faces/entidades.jsp</url-pattern>
| <url-pattern>/faces/sol_informacion.jsp</url-pattern>
| <url-pattern>/faces/usuarios.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <description />
| <role-name>perfiles</role-name>
| </auth-constraint>
| </security-constraint>
| - <security-constraint>
| <display-name>adming</display-name>
| - <web-resource-collection>
| <web-resource-name>entidades</web-resource-name>
| <description />
| <url-pattern>/faces/entidadest.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <web-resource-collection>
| <web-resource-name>usuariost</web-resource-name>
| <description />
| <url-pattern>/faces/usuariost.jsp</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| <http-method>HEAD</http-method>
| <http-method>PUT</http-method>
| <http-method>OPTIONS</http-method>
| <http-method>TRACE</http-method>
| <http-method>DELETE</http-method>
| </web-resource-collection>
| - <auth-constraint>
| <description />
| <role-name>adming</role-name>
| </auth-constraint>
| </security-constraint>
| - <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>smsJAAS</realm-name>
| - <form-login-config>
| <form-login-page>/login/login.jsp</form-login-page>
| <form-error-page>/login/login.jsp?error=true</form-error-page>
| </form-login-config>
| </login-config>
| - <servlet-mapping>
| <servlet-name>Faces Servlet</servlet-name>
| <url-pattern>/faces/*</url-pattern>
| </servlet-mapping>
| - <session-config>
| <session-timeout>30</session-timeout>
| </session-config>
| - <welcome-file-list>
| <welcome-file>faces/principal.jsp</welcome-file>
| </welcome-file-list>
| - <security-role>
| <description>Administracion de mensajes</description>
| <role-name>mensajes</role-name>
| </security-role>
| - <security-role>
| <description>Administracion de suscriptores</description>
| <role-name>suscriptores</role-name>
| </security-role>
| - <security-role>
| <description>Administracion de los promotores</description>
| <role-name>promotores</role-name>
| </security-role>
| - <security-role>
| <description>Administracion de las categorias</description>
| <role-name>categorias</role-name>
| </security-role>
| - <security-role>
| <description>Acceso al envio directo</description>
| <role-name>envio_directo</role-name>
| </security-role>
| - <security-role>
| <description>Acceso a la administracion de perfiles</description>
| <role-name>perfiles</role-name>
| </security-role>
| - <security-role>
| <description>Opciones de administrador general</description>
| <role-name>adming</role-name>
| </security-role>
| </web-app>
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4218579#4218579
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4218579
More information about the jboss-user
mailing list