4 Replies Latest reply on Dec 20, 2001 9:42 AM by janheise

JAAS & FORM/BASIC authentication

nukleopatra Dec 7, 2001 9:20 PM

I've tried this on the JBoss2.4.3/Jetty3.1.3-1 combo AND the JBoss2.4.3/Tomcat3.2.3 combo and get the same results, so I guess it's something to do with the setup.

I'm trying to secure a certain url-pattern but everytime I hit that context root, it let's me in without any authentication prompts, etc.

I've tried BASIC authentication as well as FORM-based, but neither work. Here are my configuration files - can someone tell me what is wrong?

-------------------------------------------------------
web.xml:
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN' 'http://java.sun.com/j2ee/dtds/web-app_2_2.dtd'>

<web-app>

<servlet-name>home</servlet-name>
<jsp-file>home.jsp</jsp-file>
<load-on-startup>0</load-on-startup>

<servlet-name>setup</servlet-name>
<jsp-file>setup.jsp</jsp-file>
<load-on-startup>0</load-on-startup>

<servlet-name>customize</servlet-name>
<jsp-file>customize.jsp</jsp-file>
<load-on-startup>0</load-on-startup>

<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPages</web-resource-name>
Security for iPac2.0 Administration
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-role>
Authorized iPac2.0 Administrators
<role-name>admin</role-name>
</security-role>

<session-config>
<session-timeout>500</session-timeout>
</session-config>

<welcome-file-list>
<welcome-file>home.jsp</welcome-file>
</welcome-file-list>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
</web-app>

*Note: I've tried putting the standard http-methods (GET, POST, PUT, etc.) in the web-resource-collection too, but that didn't work either. I'm of the understanding that by putting NOTHING here, ALL methods are secured.(??)

-------------------------------------------------------
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/ipac20admin</security-domain>
</jboss-web>

-------------------------------------------------------
auth.conf (in proper conf/jetty or conf/tomcat dir):
// Put login modules providing authentication and realm mappings
// for security domains.

ipac20admin {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/ipac_admin"
principalsQuery="SELECT PASSKEY FROM PRINCIPALS WHERE PRINCIPALID=?"
rolesQuery="SELECT ROLE_ID, ROLEGROUP FROM ROLES WHERE PRINCIPALID=?"
;
};

simple {
org.jboss.security.auth.spi.SimpleServerLoginModule required;
};

client-login {
org.jboss.security.ClientLoginModule required;
};

// The default server login module
other {
org.jboss.security.auth.spi.UsersRolesLoginModule required
unauthenticatedIdentity="nobody";

};

-------------------------------------------------------

Anything else anyone needs?

If I go the login form manually and try to login, I get a /j_security_check not found error. I read somewhere that this won't work if you hit it manually.

I really hope someone can shed some light on this because I've been staring at this problem for over 6 hours now!

1. Re: JAAS & FORM/BASIC authentication

luke_t Dec 10, 2001 3:53 PM (in response to nukleopatra)

A wild guess - you talk about "hitting that context root" which sounds like you're trying to protect the whole web application context. Remember that the url pattern is relative to your web context (a common misconception), so you are protecting

/webappcontext/admin

not

/admin

in the file you have shown. But you don't say under what context name you've deployed your app, so I can't tell for sure.
Actions
2. Re: JAAS & FORM/BASIC authentication

nukleopatra Dec 13, 2001 4:28 PM (in response to nukleopatra)

That was exactly my problem. My context root was /admin, but I found out (through trial and error) that if I shifted it down a level, then I could secure it. So, the context is now /sa_tools/admin and /admin is secured.

This is a newbie question but is that some standard? That you cannot secure the application context? (/sa_tools in the example above)
Actions
3. Re: JAAS & FORM/BASIC authentication

luke_t Dec 14, 2001 11:32 AM (in response to nukleopatra)

You can't refer to the context name in your web.xml file because it may change or be specified in an ear (in the application.xml file). So you only refer to it relatively.

I've never bothered about securing the root context, and I'm not sure it would make sense because your form login page, error page and so on would go there and you have to access them without being authenticated.

I don't know the details of what takes precedence, but check the servlet spec if you really want to know - it may be possible using a url like "/*" or something.
Actions
4. Re: JAAS & FORM/BASIC authentication

janheise Dec 20, 2001 9:42 AM (in response to nukleopatra)

hey, i once did that. was quite funny to look at.
the auth stuff tried to load the login-form, the
login form was protected by security, so it tried
to load the login-form and so on. so better not do
it.
Actions

Go to original post