3 Replies Latest reply on Nov 7, 2002 3:55 PM by sweber

    Securing multiple web resources

    sweber
    sweber Nov 6, 2002 5:58 PM

      I got FORM login working on my webapp using first the default "other" application-policy then my own DatabaseServerLoginModule -- my thanks to those who posted the solutions to their problems on this forum, those answers got me unstuck in several places. But now I want to have more than one security-constraint, since one section of my web-app is visible only to designers, another only to authors.

      So here is the relevant snippet from web.xml:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Notes</web-resource-name>
      <url-pattern>/note/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Administrator</role-name>
      <role-name>Author</role-name>
      </auth-constraint>
      </security-constraint>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Notedefs</web-resource-name>
      <url-pattern>/list/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Administrator</role-name>
      <role-name>Designer</role-name>
      </auth-constraint>
      </security-constraint>

      As you can see, Administrators are allowed to see both sections. Unfortunately, when logged in as an Administrator, I am being forced to re-present my credentials ever time I switch to a new context. I can even get it to re-present the login page by just hitting refresh on one of the pages in the /list context, but (most mysteriously) not others. Could this have something to do with the browser perhaps?

      So I guess my question is: Is it expected behavior when browsing from one security-constraint context to another to have your current logon credentials discarded? If so, would you consider changing this? And if not, what am I doing wrong.

      thanks in advance, susan

      • 1390 Views
      • Tags:
        • 1. FORM login doesn't stick
          sweber
          sweber Nov 6, 2002 6:35 PM (in response to sweber)

          Hrm, never mind, I rolled back to BASIC authentication and found that multiple security-constraints work great. The issue I am seeing is that my FORM authentication is only appearing to work, that is, it will let me log in once, and even show me the page I requested, but as soon as I navigate to any other page (regardless of whether it is in the same context) I am forced to re-present my credentials. All else remaining equal, when I edit web.xml and change

          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>other</realm-name>
          </login-config>

          to

          <login-config>
          <auth-method>FORM</auth-method>
          <realm-name>other</realm-name>
          <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/fail_login.html</form-error-page>
          </form-login-config>
          </login-config>

          I can trigger the login page by either refreshing the current page (certain pages always refresh fine, others always force me to re-login) or browsing to a new page.

          My login.jsp is painfully simple:


          Please log in:


          UserName:

          Password:





          When I log in, I see the following on the console:

          14:39:48,919 DEBUG [JBossUserRealm#other] JBossUserPrincipal: admin
          14:39:48,919 DEBUG [JBossUserRealm#other] created JBossUserRealm::JBossUserPrincipal: admin
          14:39:48,919 DEBUG [JBossUserRealm#other] authenticating: Name:admin Password:****
          14:39:48,965 DEBUG [JBossUserRealm#other] authenticated: admin
          14:39:48,965 DEBUG [JBossUserRealm#other] setting JAAS subjectAttributeName(j_subject) : Subject:
          Principal: admin
          Principal: Roles

          I am then redirected to the login_failed page.(!?) But when I browse from there to another page in the site, I am shown the requested page, and I see the following on the console:

          14:40:34,653 DEBUG [JBossUserRealm#other] authenticating: Name:admin Password:****
          14:40:34,653 DEBUG [JBossUserRealm#other] authenticated: admin
          JBossUserPrincipal: admin is NOT in Role: Author
          14:40:34,653 DEBUG [JBossUserRealm#other] JBossUserPrincipal: admin is NOT in Role: Designer
          14:40:34,653 DEBUG [JBossUserRealm#other] JBossUserPrincipal: admin is in Role:Administrator

          So I *have* logged in... or haven't I? I am using the following to trace what is going on... any other classes I should be looking at?









          thanks in advance...

            • Actions
          • 2. Re: Securing multiple web resources
            sweber
            sweber Nov 7, 2002 2:53 PM (in response to sweber)

            gah, i suck, i had a call to session.invalidate() in a few key jsps. operator error! everything works as expected.

            ciao
            s.

              • Actions
            • 3. Re: Securing multiple web resources
              sweber
              sweber Nov 7, 2002 3:55 PM (in response to sweber)

              hm, the board ate my final post, so i will re-post. the problem was of course operator error -- i had calls to session.invalidate() in certain jsps. everything works as expected.

                • Actions