-
1. Re: BASIC auth-method doesn't ask for credentials
I noticed that nobody replied to this one. I have exactly the same problem. I'm using the JBoss_2.4.3_Tomcat_4.0 installation.
I have a very simple stateless session bean and a servlet that accesses the bean. I've set web.xml to do basic authentication on first login. When I invoke the servlet from the browser
http://localhost:8080/jaasex/js
I get the response
HTTP Status 403 - Access to the requested resource has been denied
and
bad password for username=null
and no login form was presented on the browser.
I set up my descriptors based on the howto example. Can anyone spot the problem in my XML/conf files?
jboss-web.xml
==============
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/jaasExample</security-domain>
<ejb-ref>
<ejb-ref-name>ejb/js</ejb-ref-name>
<jndi-name>ejb/jaasSession</jndi-name>
</ejb-ref>
</jboss-web>
web.xml
=======
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>JAAS Example Web Application</display-name>
<servlet-name>JaasServlet</servlet-name>
<display-name>JAAS Servlet</display-name>
<servlet-class>web.JaasServlet</servlet-class>
<servlet-mapping>
<servlet-name>JaasServlet</servlet-name>
<url-pattern>/js</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>JaasSessionSecurity</web-resource-name>
<url-pattern>/js</url-pattern>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Manager</role-name>
</auth-constraint>
<user-data-constraint>
Currently transport insecure
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JAAS Session Security</realm-name>
</login-config>
<security-role>
The managers role
<role-name>Manager</role-name>
</security-role>
<ejb-ref>
<ejb-ref-name>ejb/js</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
beans.JaasSessionHome
beans.JaasSession
</ejb-ref>
</web-app>
application.xml
===============
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN'
'http://java.sun.com/j2ee/dtds/application_1_2.dtd'>
<display-name>JaasExample</display-name>
The JAAS Example Application
warFile
<web-uri>je.war</web-uri>
<context-root>/jaasex</context-root>
EJBJar
je.jar
jboss.xml
==========
<?xml version="1.0" encoding="UTF-8"?>
<security-domain>java:/jaas/jaasExample</security-domain>
<enterprise-beans>
<ejb-name>jb</ejb-name>
<jndi-name>ejb/jaasSession</jndi-name>
</enterprise-beans>
ejb-jar.xml
===========
<?xml version="1.0"?>
<!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN' 'http://java.sun.com/j2ee/dtds/ejb-jar_1_1.dtd'>
<ejb-jar>
<enterprise-beans>
<ejb-name>jb</ejb-name>
beans.JaasSessionHome
beans.JaasSession
<ejb-class>beans.JaasSessionBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>Manager</role-name>
</security-role>
<method-permission>
<role-name>Manager</role-name>
<ejb-name>jb</ejb-name>
<method-name>*</method-name>
</method-permission>
</assembly-descriptor>
</ejb-jar>
auth.conf in the jboss\conf\catalina folder
===========================================
jaasExample {
// A properties file LoginModule that supports CallerPrincipal mapping
org.jboss.security.auth.spi.UsersRolesLoginModule required
;
};
auth.conf in the jboss\client folder
=====================================
srp {
// Example client auth.conf for using the SRPLoginModule
org.jboss.security.srp.jaas.SRPLoginModule required
password-stacking="useFirstPass"
principalClassName="org.jboss.security.SimplePrincipal"
srpServerJndiName="SRPServerInterface"
debug=true
;
// jBoss LoginModule
org.jboss.security.ClientLoginModule required
password-stacking="useFirstPass"
;
// Put your login modules that need jBoss here
};
other {
// Put your login modules that work without jBoss here
// jBoss LoginModule
org.jboss.security.ClientLoginModule required;
// Put your login modules that need jBoss here
};
roles.properties
=================
cwl=Manager
jjh=Manager
and a users.properties file with passwords for both users (cwl, jjh). These property files are deployed with the je.jar file in its root directory.
Any help would be appreciated.
Chris -
2. Re: BASIC auth-method doesn't ask for credentials
I just tried the JaasServlet example that I posted previously with JBOSS_2.2.2_Tomcat_3.2.2. It worked, i.e. the BASIC authentication form was displayed on the browser. Does anyone know what has happened in JBOSS_2.4.3_Tomcat_4.0 to cause BASIC authentication problems with this later version?
Thanks
Chris -
3. Re: BASIC auth-method doesn't ask for credentials
Hello, I think there may be serious issues with the authentication in Tomcat 4.0.
If you are using the WARP connector and Apache, the release notes have this to say about it:
* With this release, FORM-based authentication will work correctly, but
there is a bug that prevents BASIC authentication from operating. This
will be addressed before final release. -
4. Re: BASIC auth-method doesn't ask for credentials
BASIC auth works with the JBoss-2.4.4_Tomcat-4.0.1 and latter bundles. If you see a 403 error you need to remove the unauthenticatedIdentity login module attribute from your configuration as this prevents the authentication challenge from being sent back to the browser.