5 Replies Latest reply on Feb 6, 2003 4:25 PM by petertje

web-tier security

jpelle Feb 4, 2003 8:43 PM

OK, I'm totally confused, and reading the messages on this forum hasn't helped -- others have had this problem but no solutions have been posted (that I've seen).

OK, a little background. We have a product with an EJB backend and a web (JSP/servlets/JavaBean/Applet) front end (JBoss 2.4.9/Tomcat4.0.4) and now we are trying to add security to it. Using a client java app, I can easily implement EJB-tier declaritive security. But when I tried moving that over to the web interface, I came across many, many problems.

What I'd like to do is get the user to authenticate via a web form once, then have that authentication used whenever they access a page that accesses a restricted EJB. Apparently I have to get the authenticated user id to propagate to the EJB tier, but that isn't working. Somewhere someone said to secure the web components and use the ClientLoginModule, but that didn't seem to work either.

Anyway, I'm taking a step back -- I've gotten EJB-tier security to work in isolation, but I still haven't gotten web-tier security to work. Here's what I've got....

web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Declarative security tests
<url-pattern>/thresholdBrowser/blankPage.jsp</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>guest</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Threshold Realm</realm-name>
</login-config>

<security-role>
<role-name>guest</role-name>
</security-role>

jboss/client/auth.conf
profiler {
org.jboss.security.auth.spi.SimpleServerLoginModule required;
};

jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/profiler</security-domain>

</jboss-web>

As I understand it, whenever I try to access thresholdBrowser/blankPage.jsp, a dialog should pop-up, allowing me to enter a user id/password.

This does happen, but when I press OK, it pops up again (a total of 3 times, I believe) followed by a Status 401-Unauthorized error page.

Btw, if I put the 'profiler' security domain in the jboss/conf/<>/auth.conf, then I don't get the pop-up at all -- I just get status 403 error page. To be honest, I don't think my client/auth.conf file is getting picked up.

1. Re: web-tier security

petertje Feb 5, 2003 5:03 PM (in response to jpelle)

> To be
> honest, I don't think my client/auth.conf file is
> getting picked up.

That is right. Servlets run inside the server VM and get their security stuff from login-config.xml in the server/whatever/conf directory (and maybe from the auth.conf file in the same directory, but that is only for backwards compatability). So put your login configuration for 'profiler' in this login-config.xml file and everything will work as you expected.

HTH
Peter.
Actions
2. Re: web-tier security

jpelle Feb 6, 2003 2:38 PM (in response to jpelle)

What is this login-config.xml file? I've yet to see where it should be located -- I was under the impression that it was a JBoss 3.X thing (I'm running 2.4.9).
Actions
3. Re: web-tier security

juhalindfors Feb 6, 2003 2:52 PM (in response to jpelle)

it is the equivalent of auth.conf on the server side in 3.x
Actions
4. Re: web-tier security

petertje Feb 6, 2003 4:23 PM (in response to jpelle)

Sorry, i didn't notice you were running 2.4....
However, my remark is still valid i think, in the sense that the client/auth.conf is not picked by the server (but, as Juhu pointed out, the other one is...)

Peter
Actions
5. Re: web-tier security

petertje Feb 6, 2003 4:25 PM (in response to jpelle)

Oops, that should be "Juha" of course....
Actions

Go to original post