-
1. Re: Simple Securing of a Web Page
The "other" security domain is normally mapped to a simple login module that accepts any login/password pair. Try setting up the UserRolesLoginModule. It allows multiple users and roles to be setup by creating two property files.
-
2. Re: Simple Securing of a Web Page
I am apparently more confused that I thought.
I looked in the 'login-config.xml' and found the "other" policy and it appears to be configured as a "UsersRolesLoginModule". The description of this policy in the comments seem to imply that it is uses the two property files that you mention.
Confused..
--Bruce II -
3. Re: Simple Securing of a Web Page
No, you are not confused. I forgot I removed the other from my login-config.xml. I thought it was being picked up from auth.conf where it is using the simple server login module. Sorry for the confusion.
-
4. Re: Simple Securing of a Web Page
Glad I am not completely confused!!!
However, I still do not know why it doesn't work.
I also went and changed it to be FORM based instead of BASIC, created a simple login form with the j_username, j_password fields and ACTION="j_security_check".
Just like the BASIC auth example above, no matter what I type in the username and password fields, it takes me to the secured page.
I have run out of ideas to try?????? -
5. Re: Simple Securing of a Web Page
Another bit if information is that it does not seem to care what I put in my jboss-web.xml file for the security domain.
I can change it to: java:/fred/barney and the application behaves just as it did before.
However, I know that it is parsing the file because if I put something in the file that violates the structure of the file (like misspelling <security-domain>), it throws an exception on deployment. -
6. Re: Simple Securing of a Web Page
What other domains are defined in your login-config.xml?
Are any of them using the SimpleServerLoginModule?
There is some logic, that escapes me at the moment, regarding presenting the login to all the login modules listed in the configuration. It seems to me that given that the name in the jbossweb.xml does not seem to matter it has to be being picked up by another domain.
Did you by any chance introduce a typo in the login-config.xml for the "other" domain? -
7. Re: Simple Securing of a Web Page
I just noticed that you have the property files in the root of your war file. The login module can not find these files in this location. Try moving them to a location that is on the classpath like the conf directory. If you want to partition the users by web app rename the file and set the property file names properties in login-config.xml.
-
8. Re: Simple Securing of a Web Page
this is the most basic authorization that i got working today
hope it helps -
9. Re: Simple Securing of a Web Page
I tried moving the user and role file to the conf directory and still it doesn't work.
I went to the jmx-console, select JNDIView executed the list method. Here is the results for the java: Namespace
------------------(Begin java: Namespace)------------
+- DefaultDS (class: org.jboss.resource.adapter.jdbc.local.LocalDataSource)
+- XAConnectionFactory (class: org.jboss.mq.SpyXAConnectionFactory)
+- SecurityProxyFactory (class: org.jboss.security.SubjectSecurityProxyFactory)
+- DefaultJMSProvider (class: org.jboss.jms.jndi.JBossMQProvider)
+- CounterService (class: org.jboss.varia.counter.CounterService)
+- comp (class: javax.naming.Context)
+- JmsXA (class: org.jboss.resource.adapter.jms.JmsConnectionFactoryImpl)
+- ConnectionFactory (class: org.jboss.mq.SpyConnectionFactory)
+- jaas (class: javax.naming.Context)
| +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
| +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
| +- http-invoker (class: org.jboss.security.plugins.SecurityDomainContext)
+- timedCacheFactory (class: javax.naming.Context)
Failed to lookup: timedCacheFactory, errmsg=null
+- TransactionPropagationContextExporter (class: org.jboss.tm.TransactionPropagationContextFactory)
+- Mail (class: javax.mail.Session)
+- StdJMSPool (class: org.jboss.jms.asf.StdServerSessionPoolFactory)
+- TransactionPropagationContextImporter (class: org.jboss.tm.TransactionPropagationContextImporter)
+- TransactionManager (class: org.jboss.tm.TxManager)
--------------------(End java: Namespace)-----------
I noticed that under the jaas entry there is: JmsXARealm and jbossmq (both of which are in my login-config.xml) file but all the other ones (such as "other") are not there.
Should they be????
This is a straight installation (unzip, run.sh -c default) with no changes?
Help..............????????
--Bruce II -
10. Re: Simple Securing of a Web Page
I apologize if this is posted twice, but machine lost power almost exactly as I pressed the "Post Message" button.
I tried moving the user and role file to the conf directory and still it doesn't work.
I went to the jmx-console, select JNDIView executed the list method. Here is the results for the java: Namespace
------------------(Begin java: Namespace)------------
+- DefaultDS (class: org.jboss.resource.adapter.jdbc.local.LocalDataSource)
+- XAConnectionFactory (class: org.jboss.mq.SpyXAConnectionFactory)
+- SecurityProxyFactory (class: org.jboss.security.SubjectSecurityProxyFactory)
+- DefaultJMSProvider (class: org.jboss.jms.jndi.JBossMQProvider)
+- CounterService (class: org.jboss.varia.counter.CounterService)
+- comp (class: javax.naming.Context)
+- JmsXA (class: org.jboss.resource.adapter.jms.JmsConnectionFactoryImpl)
+- ConnectionFactory (class: org.jboss.mq.SpyConnectionFactory)
+- jaas (class: javax.naming.Context)
| +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
| +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
| +- http-invoker (class: org.jboss.security.plugins.SecurityDomainContext)
+- timedCacheFactory (class: javax.naming.Context)
Failed to lookup: timedCacheFactory, errmsg=null
+- TransactionPropagationContextExporter (class: org.jboss.tm.TransactionPropagationContextFactory)
+- Mail (class: javax.mail.Session)
+- StdJMSPool (class: org.jboss.jms.asf.StdServerSessionPoolFactory)
+- TransactionPropagationContextImporter (class: org.jboss.tm.TransactionPropagationContextImporter)
+- TransactionManager (class: org.jboss.tm.TxManager)
--------------------(End java: Namespace)-----------
I noticed that under the jaas entry there is: JmsXARealm and jbossmq (both of which are in my login-config.xml) file but all the other ones (such as "other") are not there.
Should they be????
This is a straight installation (unzip, run.sh -c default) with no changes?
Help..............????????
--Bruce II -
11. Re: Simple Securing of a Web Page
Hi Bruce,
I'm also new to the security part of JBoss so have been working on a simple test case as well.
I've attached an EAR file, which contains one really simple WAR file, which should authenticate a use trying to access the index.html page
to use:
1. deploy
2. type http://localhost:8080/test/
3. the login is bruce, password bruce
Hope it helps you out!
Regards
Bruce -
12. Re: Simple Securing of a Web Page
> Hi Bruce,
>
> I'm also new to the security part of JBoss so have
> been working on a simple test case as well.
>
> I've attached an EAR file, which contains one really
> simple WAR file, which should authenticate a use
> trying to access the index.html page
You're missing the next step. What about "myrealm"? Those are in the web.xml and jboss-web.xml files, but those are client files. What about the server side? Does "myrealm" show up in login-config.xml? What's the connection between "myrealm" and the users.properties and the roles.properties files? -
13. Re: Simple Securing of a Web Page
"gary_kephart" wrote:
> this is the most basic authorization that i got
> working today
> hope it helps
How is "wrox" mapped to the users.properties and roles.properties files?