-
1. Re: Inconsistency between JAAS in Web and EJB tiers
petertje Feb 1, 2003 8:17 AM (in response to aweissman)Did you declare the role in the web.xml?
-
2. Re: Inconsistency between JAAS in Web and EJB tiers
aweissman Feb 3, 2003 9:45 AM (in response to aweissman)Thanks Peter for getting back to me. Here's my web.xml:
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<!-- the entire site is secure (/* = everything) -->
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<!-- only users belonging to the "Developer" group may access the site -->
<auth-constraint>
<role-name>Developer</role-name>
</auth-constraint>
</security-constraint>
<!-- tell the app server which authentication to use and where to
find the login page -->
<login-config>
<!-- use this for form based authentication -->
<auth-method>FORM</auth-method>
<realm-name>java:jaas/SunOneDirectory</realm-name>
<form-login-config>
<form-login-page>/login/loginpage.jsp</form-login-page>
<form-error-page>/login/loginerror.jsp</form-error-page>
</form-login-config>
<!-- end form based authentication -->
</login-config>
<!-- list the possible security roles -->
<security-role>
<role-name>Developer</role-name>
</security-role>
</web-app> -
3. Re: Inconsistency between JAAS in Web and EJB tiers
petertje Feb 3, 2003 4:39 PM (in response to aweissman)Looks perfectly well to me....
-
4. Re: Inconsistency between JAAS in Web and EJB tiers
aweissman Feb 3, 2003 5:23 PM (in response to aweissman)think this could be a bug?
i'm not the only one running into this, and its not just with ldap, it with databases too... -
5. Re: Inconsistency between JAAS in Web and EJB tiers
petertje Feb 6, 2003 4:12 PM (in response to aweissman)> think this could be a bug?
> i'm not the only one running into this, and its not
> just with ldap, it with databases too...
I just wrote a test myself, and it works fine here. I can secure part of the web resources for one role, and request.isUserInRole("developer") returns true.
I'm afraid you are still having something else wrong.
I noticed your realm name is something like java:/jaas etc.
You do know you must specify the security domain in a jboss-web.xml file in the war, right?
Peter -
6. Re: Inconsistency between JAAS in Web and EJB tiers
petertje Feb 6, 2003 4:17 PM (in response to aweissman)I forget to mention that i tested against UsersRolesLoginModule. Maybe it's an idea you try this one also (at least, it could help me helping you ;-))
Cheers,
Peter -
7. Re: Inconsistency between JAAS in Web and EJB tiers
aweissman Feb 7, 2003 11:25 AM (in response to aweissman)Thanks Peter.
I got through all of my issues yesterday and today. The documentation on how to setup your directory to utilize the LDAPLoginModule is incorrect. It took going through the server code and debugging the LDAPLoginModule itself, but I got it :)
Now I have authentication and authorization on both EJB methods and the web.