5 Replies Latest reply on Nov 13, 2001 9:29 PM by foglesa

JBoss Form-based Login Question

charlesrk Oct 20, 2001 8:10 AM

hi all
i wrote some servlets and html pages and packaged it into a WAR file with web.xml according to Servlet specification 2.2. In web.xml i put the following entries for achieving security (Form based)

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
secure directory
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
only let the system user login
<role-name>admin</role-name>
</auth-constraint>

<user-data-constraint>
SSL not required
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
The Secure ROLE
<role-name>admin</role-name>
</security-role>

and in the custom login Form, i gave

Username:
Password:

We are seing the loging form upon accessing the servlet from http://localhost:8080/secure/; But the submit button results in error 404 Not found path/ j_security_check. We are using JBoss-2.4.1_Jetty-3.1.RC9-1 devlopment environment under windows98.

We woul like to know two things:
where to define the username/password and groups for authorization.
Any other jboss specific xml file included in the .war file.

thanks & Regards.

1. Re: JBoss Form-based Login Question

aleung_ca Oct 22, 2001 4:29 PM (in response to charlesrk)

I use FORM authentication in jboss-tomcat, it is fine, I can give you my config as follow(hope that it is similar):

You need to specify the security-domain in a file jboss-web.xml under the web-inf folder of your war file, something as follows:

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>
<security-domain>java:/jaas/example1</security-domain>
</jboss-web>

Where the security-domain "java:/jaas/example1" is defined in auto.conf file(under <jboss-jetty home>/conf) as follows:

example1 {
// A properties file LoginModule that supports CallerPrincipal mapping
org.jboss.security.auth.spi.UsersRolesLoginModule required
;
};

Then you need to specify the user names on file users.properties and map the role name of the user on file roles.properties(in your example, it should map to role "admin"). Both these two files should be on the top directory of your war file.

You can read http://www.jboss.org/documentation/HTML/ch13s70.html
for details.
Actions
2. Re: JBoss Form-based Login Question

ikestrel Oct 22, 2001 7:09 PM (in response to charlesrk)

You might want to upgrade to a newer version of Jetty. I don't remember which version, but the j_security_check 404 bug was fixed recently. Try upgrading and see if that fixes your problem.
Actions
3. Re: JBoss Form-based Login Question

kuding2000 Oct 22, 2001 9:49 PM (in response to charlesrk)

You'd better place user and role informations in database, flexible than properties files.
Actions
4. Re: JBoss Form-based Login Question

oliver.ouyang Nov 13, 2001 8:53 PM (in response to charlesrk)

> You'd better place user and role informations in
> database, flexible than properties files.

But how can I do it?
Actions
5. Re: JBoss Form-based Login Question

foglesa Nov 13, 2001 9:29 PM (in response to charlesrk)

you can set up a database login module fairly easily. make a table for the roles, and one for users/passwords. In my case the users table is multi purposed, but it has a username and password field. (you can call them whatever you want.)

they are your basic varchar(64) fields.

the roles table is a bit more complex... it has 3 fields (this is not the "complex" part) they are...

USERNAME
ROLE
ROLEGROUP

Again they are varchar(64) fields...

now the data in the user table is obvious. (lets assume you named the fields username and password.... if not later when we do auth.conf change the names there)

in the role table you will have minimally 2 rows per user...

so for my user (foglesa) they will look like this...

username role Rolegroup
foglesa someRole Roles
foglesa Caller_foglesa Caller_Principal

You can have multiple roles simply by adding more entries with different 'role' in rolegoup Roles.

Now add a configuration to auth.conf like this...

datalogin {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/someDS"
principalsQuery="select Password from users where userName=?"
rolesQuery="select Role, RoleGroup from Roles where userName=?" ;
};

now in a jboss.xml or jboss-web.xml you can denote security by adding the line

<security-domain>java:/jaas/datalogin</security-domain>

Easy maintenance.

Al

P.s. this is all covered quite well in the docs. search on JAAS on the documents page and you should come up with it quite fast (i forget the url right offhand.)
Actions

Go to original post