Catalina Realm configuration?
mlipper Feb 4, 2002 5:08 PMOK -
I must be missing something obvious (and/or doing something really bone-headed). I have set up and successfully deployed my app in JBoss-2.4.4_Tomcat-4.0.1.
My web context is deployed in Catalina using FORM based authentication and I am using the JBoss DatabaseServerLoginModule to authenticate all users. This works fine and when I request a protected web resource, Catalina behaves as expected by collecting and authenticating my form data. However when I try to reference the current request's security info
Principal principal = ((HttpServletRequest)request).getUserPrincipal();
the references are all null. I'm guessing that either I have not configured things correctly or that in order to work directly with Catalina container security(Realms?!) I have to get a proper reference like so:
// Create the initial context
Context ctx = new InitialContext();
// Look up an object
JaasSecurityManager securityManager = (JaasSecurityManager)ctx.lookup("java:/jaas/dclLogin");
I guess what I'm asking here is what is the proper way to configure/deploy my web apps so that the standard role info is available for programatic inspection and manipulation? Selected portions of my conf files are as follows:
//auth.conf (Shown in full)
dclLogin {
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/PostgresDS"
principalsQuery="select password from customer where username=?"
rolesQuery="SELECT p.permission_type, p.role_group FROM login_account l, permission_type p WHERE p.permission_type = l.permission_type AND l.username=?"
unauthenticatedIdentity=nobody
;
};
//jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/dclLogin</security-domain>
<ejb-ref>
<ejb-ref-name>ejb/SecuredEJB</ejb-ref-name>
<jndi-name>dcl/PublicSession</jndi-name>
</ejb-ref>
<ejb-ref>
<ejb-ref-name>ejb/PrivateEJB</ejb-ref-name>
<jndi-name>dcl/PrivateSession</jndi-name>
</ejb-ref>
</jboss-web>
//web.xml
<!-- ### Security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Security test
<url-pattern>/admin/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SUPER_USER</role-name>
<role-name>RESOURCE_OWNER</role-name>
<role-name>RESOURCE_ADMIN</role-name>
<role-name>RESOURCE_CUSTOMER</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
Golden God!
<role-name>SUPER_USER</role-name>
</security-role>
<security-role>
Context Owner
<role-name>RESOURCE_OWNER</role-name>
</security-role>
<security-role>
Context Admin
<role-name>RESOURCE_ADMIN</role-name>
</security-role>
<security-role>
End User
<role-name>RESOURCE_CUSTOMER</role-name>
</security-role>
I haven't altered Catalina's server.xml.
Any help or advice is greatly appreciated!
Thanks,
Matt