JAAS & FORM/BASIC authentication
nukleopatra Dec 7, 2001 9:20 PMI've tried this on the JBoss2.4.3/Jetty3.1.3-1 combo AND the JBoss2.4.3/Tomcat3.2.3 combo and get the same results, so I guess it's something to do with the setup.
I'm trying to secure a certain url-pattern but everytime I hit that context root, it let's me in without any authentication prompts, etc.
I've tried BASIC authentication as well as FORM-based, but neither work. Here are my configuration files - can someone tell me what is wrong?
-------------------------------------------------------
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN' 'http://java.sun.com/j2ee/dtds/web-app_2_2.dtd'>
<web-app>
<servlet-name>home</servlet-name>
<jsp-file>home.jsp</jsp-file>
<load-on-startup>0</load-on-startup>
<servlet-name>setup</servlet-name>
<jsp-file>setup.jsp</jsp-file>
<load-on-startup>0</load-on-startup>
<servlet-name>customize</servlet-name>
<jsp-file>customize.jsp</jsp-file>
<load-on-startup>0</load-on-startup>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPages</web-resource-name>
Security for iPac2.0 Administration
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
Authorized iPac2.0 Administrators
<role-name>admin</role-name>
</security-role>
<session-config>
<session-timeout>500</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>home.jsp</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
</web-app>
*Note: I've tried putting the standard http-methods (GET, POST, PUT, etc.) in the web-resource-collection too, but that didn't work either. I'm of the understanding that by putting NOTHING here, ALL methods are secured.(??)
-------------------------------------------------------
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/ipac20admin</security-domain>
</jboss-web>
-------------------------------------------------------
auth.conf (in proper conf/jetty or conf/tomcat dir):
// Put login modules providing authentication and realm mappings
// for security domains.
ipac20admin {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/ipac_admin"
principalsQuery="SELECT PASSKEY FROM PRINCIPALS WHERE PRINCIPALID=?"
rolesQuery="SELECT ROLE_ID, ROLEGROUP FROM ROLES WHERE PRINCIPALID=?"
;
};
simple {
org.jboss.security.auth.spi.SimpleServerLoginModule required;
};
client-login {
org.jboss.security.ClientLoginModule required;
};
// The default server login module
other {
org.jboss.security.auth.spi.UsersRolesLoginModule required
unauthenticatedIdentity="nobody";
};
-------------------------------------------------------
Anything else anyone needs?
If I go the login form manually and try to login, I get a /j_security_check not found error. I read somewhere that this won't work if you hit it manually.
I really hope someone can shed some light on this because I've been staring at this problem for over 6 hours now!