[jboss-user] [Beginner's Corner] - FORM-based authentication

RS Prasad do-not-reply at jboss.com
Tue Oct 26 16:34:42 EDT 2010

RS Prasad [http://community.jboss.org/people/rsprasad] modified the document:

"FORM-based authentication"

To view the document, visit: http://community.jboss.org/docs/DOC-16020

This article is about FORM-Based authentication for jboss for securing admin related pages.
The attached web application uses declarative authentication against mysql security realm.

Add following *security-constraint* section to *web.xml*:
     <display-name>require valid user</display-name>
  <web-resource-name>internal application</web-resource-name>
  <!-- secure only admin pages-->
  <!--Admin pages secured only for admin-->

Add following *login-config* section to *web.xml*:


Find and replace following realm config section in <JBOSS_HOME>\server\default\deploy\jbossweb.sar\*server.xml*:

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
roleNameCol="role_name" />

>From the above, realm requires DB Class name, DB Driver class, DB URL, 
DB name, DB username, DB password and 
userTable is users,
userNameCol is user_name,
userRoleTable is user_roles,
userCredCol is user_pass and
roleNameCol is role_name

Setting up security realm:
Have mysql running.

mysql> create database jaasrealm;
mysql> use jaasrealm;
mysql> create table users (
  user_name varchar(15) not null primary key,
  user_pass varchar(15) not null

mysql> create table user_roles (
  user_name varchar(15) not null,
  role_name varchar(15) not null,
  primary key (user_name, role_name)

mysql> insert into users values('hari','good');
mysql> insert into users values('hara','better');

mysql> insert into user_roles values('hari','usergroup');
mysql> insert into user_roles values('hara','admin');

Ensure mysql driver in JBoss classpath, browser setting for cookies and modify JBossIPAddress in links in JSPs.
Deploy the application after extracting it to JBOSS_HOME/server/default/deploy/.
Reach the application at URL:  http://%3cjbossipaddress%3e:8080/auth/index.jsp http://<JBossIPAddress>:8080/auth/index.jsp
The first two links are to user pages that require no authentication.
The last two links are to admin pages which require authentication.
Clicking on admin links will cause login.jsp to be displayed as configured by login-config section of web.xml.
The pages are authenticated by j_security_check with textboxes for j_username and j_password.
A j_security_check servlet reserved by JBoss for authentication handles the request and the security-constraints associated with it.
On successful authentication, the secured admin page will be displayed.
On unsuccessful authentication, loginInvalid.jsp as configured by login-config section of web.xml will be displayed.


Saravana Prasad

Comment by going to Community

Create a new document in Beginner's Corner at Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20101026/b1cb452b/attachment.html 

More information about the jboss-user mailing list