'UsersRolesLoginModule' not validating passwords
pgmjsd Jun 29, 2003 8:40 AMHello,
I am trying to use the 'UserRolesLoginModule' in a web/EJB application and I am getting some unexpected behavior. The web application seems to know when an unauthenticated user is accessing a page, and it forwards to the login form appropriately. However, it does *not* appear to be verifying the username and password against the users.properties file. There must be something missing in the configuration.
login.xml has 'ExampleRealm' defined as:
<!--
The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "ExampleRealm">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
web.xml references this realm like so:
<!-- ==================================================================== -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Pages</web-resource-name>
<url-pattern>/webui/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AuthorizedUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<!-- ExampleRealm is defined in login-config.xml -->
<realm-name>ExampleRealm</realm-name>
<form-login-config>
<!--
NOTE: It is important that no pages direclty invoke this JSP, as it will invoke 'j_security_check'
which expects the invoking URL to be the URL to go to on successful login. On Jetty/JBoss, linking
directly to this login form page will result in the user being redirected to the root web context.
-->
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/authenticationError.jsp</form-error-page>
</form-login-config>
</login-config>
The users.properties and roles.properties files are deployed into the application JAR file, which is in the main EAR file.
Any ideas?