1 Reply Latest reply on Sep 20, 2002 6:10 PM by rothfield

    Help, servlet form based validation

    rothfield

      I'm using JBoss-2.4.6_Tomcat-4.0.3.

      I'm setting up authentication. I've got it now so that the system brings up a login.jsp. The problem is that the web tier authentication allows any login,password combination and that isInRole doesn't work on the web tier. The ejb tier works properly, in that if it checks the roles and throws an exception if the user is unauthorized. "example2" is what I'm using in auth.conf. Question: do I need to add "example2" to /jboss/client/auth.conf ??? It seems that the web tier validation is putting up login.jsp as specified, but then not validating against the database.
      Also, how do I logout the user later? I believe I would need the logincontext object.

      Thanks, John


      --------------from web.xml -------
      <!-- JR 9/2002 -->

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>alldocs</web-resource-name>
      <url-pattern>/do/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>my_role</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <!-- Default login configuration uses form-based authentication -->
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
      </login-config>



      <security-role>
      My Role Description
      <role-name>my_role</role-name>
      </security-role>

      -------------from jboss-web.xml ---------------
      <!-- jr All secured web content uses this security manager -->
      <security-domain>java:/jaas/example2</security-domain>

      -------------- standardjboss.xml -----
      <security-domain>java:/jaas/example2</security-domain>

      ---------------jboss.jcml ---------
      <!-- JAAS security manager and realm mapping -->

      org.jboss.security.plugins.JaasSecurityManager
      Security:name=DefaultLoginConfig


      auth.conf


      ------------------------ jboss/conf/catalina/auth.conf ---
      // Put login modules providing authentication and realm mappings
      // for security domains.


      simple {
      // Very simple login module:
      // any user name is accepted.
      // password should either coincide with user name or be null,
      // all users have role "guest",
      // users with non-null password also have role "user"
      org.jboss.security.auth.spi.SimpleServerLoginModule required;
      };

      // Used by clients within the application server VM such as
      // mbeans and servlets that access EJBs.
      client-login {
      org.jboss.security.ClientLoginModule required;
      };

      other {
      // A simple server login module, which can be used when the number
      // of users is relatively small. It uses two properties files:
      // users.properties, which holds users (key) and their password (value).
      // roles.properties, which holds users (key) and a comma-separated list of their roles (value).
      // The unauthenticatedIdentity property defines the name of the principal
      // that will be used when a null username and password are presented as is
      // the case for an unuathenticated web client or MDB. If you want to
      // allow such users to be authenticated add the property, e.g.,
      // unauthenticatedIdentity="nobody"
      org.jboss.security.auth.spi.UsersRolesLoginModule required
      ;

      };



      example2 {
      /* A JDBC based LoginModule
      LoginModule options:
      dsJndiName: The name of the DataSource of the database containing the Principals, Roles tables
      principalsQuery: The prepared statement query equivalent to:
      "select password from user where userName=?"
      rolesQuery: The prepared statement query equivalent to:
      "select role, RoleGroup from Roles where PrincipalID=?"
      */
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:/mySQLDS"
      principalsQuery= "select userPass from user where userName=?"
      rolesQuery="select roleName,null from userRole where userName=?"
      unauthenticatedIdentity=nobody
      ;
      };


      --------------------- jboss/client/auth.conf ---

      srp {
      // Example client auth.conf for using the SRPLoginModule
      org.jboss.security.srp.jaas.SRPLoginModule required
      password-stacking="useFirstPass"
      principalClassName="org.jboss.security.SimplePrincipal"
      srpServerJndiName="SRPServerInterface"
      debug=true
      ;

      // jBoss LoginModule
      org.jboss.security.ClientLoginModule required
      password-stacking="useFirstPass"
      ;

      // Put your login modules that need jBoss here
      };

      other {
      // Put your login modules that work without jBoss here

      // jBoss LoginModule
      org.jboss.security.ClientLoginModule required;

      // Put your login modules that need jBoss here
      };

        • 1. Re: Help, servlet form based validation
          rothfield

          I believe my problem is in the setup of auth.conf for tomcat. In the logs I get :

          [INFO,Shutdown] Shutdown hook added
          [INFO,DefaultLoginConfig] Using JAAS LoginConfig: file:/D:/JBoss-2.4.6_Tomcat-4.
          0.3/jboss/conf/catalina/auth.conf
          [WARN,ConfigurationService$ServiceProxy] Security:name=DefaultLoginConfig does not implement any Service methods

          Thanks, John