I'm trying to set up a chain of login modules to support
authenticating users accessing a web application.
I can get the UsersRolesLoginModule to work fine,
but I'm now trying to chain this with the
DatabaseServerLoginModule, with little success.
If I attempt to login with user credentials for a
user stored in the properties files for
UsersRolesLoginModule, I get an exception from the
DatabaseServerLoginModule.
Vice versa, if I attempt to login with user credentials
for a user stored in the database for
DatabaseServerLoginModule , I get an exception from the
UsersRolesLoginModule.
The relevant section from login-conf.xml is :
<application-policy name = "WebSecurityRealm">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "sufficient">
<module-option name = "dsJndiName">java:/OracleDS</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalId=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalId=?</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
</login-module>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "sufficient" >
<module-option name = "usersProperties">users.properties</module-option>
<module-option name = "rolesProperties">roles.properties</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
</login-module>
</application-policy>
From the documentation, I'm under the impression that
setting "flag=sufficient" for each login module means
that if a login module succeeds, then authentication is
successful, otherwise the next login module in the chain
is called. Is this correct ?
Can someone point out what is wrong in the configuration
above ?
I'm using JBoss3.0.0, XDoclet 1.1.2 and Oracle 9i on Windows XP.
Thanks,
Gavin.