JBoss/Jetty JAAS transient Roles problem
ikestrel Oct 17, 2001 3:04 PMI've been fighting with this for hours and I'm really at the end of my rope. Please if someone can give me a clue to what's going on. I'm using Jboss2.4.3/Jetty3.1.1 bundle except I have dropped in the Jetty3.1.2 jar because it fixes a different FORM based login bug.
The problem is transient so far as I can tell--at least I don't know what's causing it..
Can someone please tell me how to get form based auth working with jetty/jboss? I have three sections of site /user, /member, and /admin.
/user can only access /user, /member can access /user and /member, and
admin can access any of the three. What are the entries in:
jboss.jcml (if anything other than default)
auth.conf
web.xml
jboss-web.xml
anything else? that I need to get it to work correctly and consistently? It keeps working for a little while, ie. I can access the restricted area and then stops working. Sometimes it doesn't allow access to the restricted area at all to begin with--sometimes I can 1 click, sometimes I can click around the restricted area a little while before it failes.
I get:
[Jetty] +++ JBossUserRealm.getUser, username=joel@ikestrel.com
[Jetty] Authorizing access, username: joel@ikestrel.com
[Jetty] User: joel@ikestrel.com is authorized
but then I'll suddenly start getting these: [Jetty] +++ JBossUserRealm.getUser, username=joel@ikestrel.com
[Jetty] Authorizing access, username: joel@ikestrel.com
[Jetty] User: joel@ikestrel.com is NOT authorized, requiredRoles=[admin]
[Jetty] WARNING: AUTH FAILURE: role for joel@ikestrel.com
Why??? Here's my auth.conf:
Allsense {
/* A JDBC based LoginModule
LoginModule options:
dsJndiName: The name of the DataSource of the database containing the
Principals, Roles tables
principalsQuery: The prepared statement query equivalent to:
"select Password from Principals where PrincipalID=?"
rolesQuery: The prepared statement query equivalent to:
"select Role, RoleGroup from Roles where PrincipalID=?"
org.jboss.security.auth.spi.DatabaseServerLoginModule required
*/
org.ikestrel.internet.ecommerce.LoginModule required
dsJndiName="java:/AllsenseDS"
principalsQuery="SELECT password FROM Member WHERE userEmail=?"
rolesQuery="SELECT userType, 'Roles' FROM Member where userEmail=?"
;
};
where org.ikestrel.internet.ecommerce.LoginModule is exactly the same
code as the newest org.jboss.security.auth.spi.DatabaseServerLoginModule
(it has been updated recently), though I get the exact same problems
with org.jboss.security.auth.spi.DatabaseServerLoginModule anyway.
web.xml:
<web-app>
<welcome-file-list>
<welcome-file>index.htm</welcome-file>
</welcome-file-list> <!-- ### Security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>LoginArea</web-resource-name>
Users/Members only
<url-pattern>/user/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>member</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint> <security-constraint>
<web-resource-collection>
<web-resource-name>MemberArea</web-resource-name>
Member Only
<url-pattern>/member/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint> <security-constraint>
<web-resource-collection>
<web-resource-name>AdminArea</web-resource-name>
Admin Only
<url-pattern>/admin/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint> <login-config>
<!--
<auth-method>BASIC</auth-method>
-->
<realm-name>JAAS Common Sense Login</realm-name>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
A user allowed to invoke acces
<role-name>user</role-name>
</security-role> <security-role>
A user allowed to invoke echo methods
<role-name>member</role-name>
</security-role> <security-role>
A user allowed to invoke echo methods
<role-name>admin</role-name>
</security-role> <session-config>
<session-timeout>15</session-timeout> <!-- 15 minutes -->
</session-config>
</web-app>
jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?> <jboss-web>
<security-domain>java:/jaas/Allsense</security-domain>
</jboss-web>
jboss.jcml is the same as default as far as Jaas is concerned. I'm using postgresql for db (7.0.3).
Please, can anyone find what's wrong or point me in the right direction?
How do I turn on appropriate debugging in JBoss that might help debug it?