Can't get j_security_check to work in JBoss 3.0.2... please
richardberger Oct 5, 2002 12:10 AMStrangely, I have no problems getting JAAS working through a database, but I wanted to try the "simple" way using j_security_check.
Initially things look fine - I enter a protected URL and the login2.jsp pops up. However, whatever user/password I type in, the system authenticates it as valid.
The relevant section of my web.xml looks like:
<security-constraint>
<display-name>JBossAdmin</display-name>
<web-resource-collection>
<web-resource-name>drillservlet</web-resource-name>
An example security config that only allows users with the role DSUser to access signin
<url-pattern>/app/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DSUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>DrillSgt</realm-name>
<form-login-config>
<form-login-page>/login2.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>DSUser</role-name>
</security-role>
<security-role>
<role-name>JBossAdmin</role-name>
</security-role>
I have the DrillSgt realm specified in the login-config.xml file as:
<application-policy name = "DrillSgt">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/DrillDB</module-option>
<module-option name = "principalsQuery">select Password from UserDS where Email = ?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from RoleDS where Email = ?</module-option>
</login-module>
</application-policy>
And it is also in the jboss-web.xml file as:
<?xml version="1.0" encoding="UTF-8" ?>
<jboss-web>
<security-domain>java:/jaas/DrillSgt</security-domain>
</jboss-web>
Any ideas what I am doing wrong? I have searched and searched in this forum, but nothing seems to help. I am just trying to see how j_security_check works - the JAAS code that already works is what I will use in my application - but curiousity has gotten the better of me.
Thanks in advance for any help!!!
RB