3 Replies Latest reply on Aug 10, 2003 4:53 AM by tthiele

    How to tell the web-container which login-module to use for

    tthiele

      Help please!!

      Why the hell doesn't take jboss/jetty the login-configuration that I tell him to use?
      The webcontainer shows the login-form when I want access e.g. http://localhost:8080/repository/prototype/home.do
      But I can enter whatever I want as username/password to access the pages - which is not the desired behaviour.
      However, a SecurityException occurs when a call to an ejb is done (which is ok because I did'nt authenticate correctly).

      Can someone please give me a hint.
      Thanks,
      Tilo

      ------------------------------------------------
      This is my jboss-web.xml:

      ...
      <jboss-web>
      <security-domain>java:/jaas/repository-realm</security-domain>
      ...

      ------------------------------------------------
      This is my login-config.xml:

      ...
      <application-policy name = "repository-realm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "principalsQuery">select password from User where username=?</module-option>
      <module-option name = "rolesQuery">select distinct r.rolename, 'Roles' from Role r, RoleMap m, User u where r.roleid=m.roleid and
      m.userid=u.userid and u.username=?</module-option>
      <module-option name = "dsJndiName">java:/MysqlWebtestDS</module-option>
      </login-module>
      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>

      </application-policy>
      ...

      ------------------------------------------------
      This is my web.xml:

      ...
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>WebTest-Repository</web-resource-name>
      <url-pattern>/prototype/*</url-pattern>
      <url-pattern>/application/*</url-pattern>
      <url-pattern>/repository/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>user</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>repository-realm</realm-name>
      <form-login-config>
      <form-login-page>/login.do</form-login-page>
      <form-error-page>/login/login-error.html</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <role-name>user</role-name>
      </security-role>
      ...

        • 1. Re: How to tell the web-container which login-module to use

          What does your login.do look like? Does it refer to the j_security_check action?

          • 2. Re: How to tell the web-container which login-module to use
            tthiele

            my login.do forwards to the login page containing:






            username/password is passed to a loginmodule (but which?) as one can see in the log:

            2003-08-08 14:13:32,645 DEBUG [org.jboss.jetty.security.JBossUserRealm#repository-realm] JBossUserPrincipal: asldkf
            2003-08-08 14:13:32,646 DEBUG [org.jboss.jetty.security.JBossUserRealm#repository-realm] authenticating: Name:asldkf Password:****
            2003-08-08 14:13:32,646 DEBUG [org.jboss.jetty.security.JBossUserRealm#repository-realm] authenticated: asldkf
            2003-08-08 14:13:32,646 DEBUG [org.jboss.jetty.security.JBossUserRealm#repository-realm] setting JAAS subjectAttributeName(j_subject) : null
            2003-08-08 14:13:32,646 DEBUG [org.jboss.jetty.security.JBossUserRealm#repository-realm] JBossUserPrincipal: asldkf is in Role: user

            anyway, the behaviour is the same with BASIC authentication.

            The only indicator of a failed authentication is the null subject. But what I expect is a forward to the configured login error page.

            • 3. Re: How to tell the web-container which login-module to use
              tthiele

              I hardly dare to admin my basic blunder.
              After including jboss-web.xml within the war everything runs smoothly. AAAAHHRRG