I have problems logging into my web-app using form login authentication under jboss-3.2.1_tomcat-4.1.24.

here is my configuration

1. in login-config.xml I put

<application-policy name = "NeutworkDomain">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/ds/neutwork</module-option>
<module-option name = "principalsQuery">SELECT password FROM dbo.Users WHERE userName=?</module-option>
<module-option name = "rolesQuery">SELECT theGroup, 'roles' FROM dbo.Users WHERE userName=?</module-option>
<!--module-option name = "unauthenticatedIdentity">guest</module-option-->
</login-module>
<login-module code = "org.jboss.security.ClientLoginModule" flag = "required"/>

</application-policy>

note that the datasource works correctly


2. my jboss-web.xml is like this

<jboss-web>
<security-domain>java:/jaas/NeutworkDomain</security-domain>
</jboss-web>



3. my web.xml is like this
<web-app>


<taglib-uri>/taglib.tld</taglib-uri>
<taglib-location>taglib.tld</taglib-location>



<taglib-uri>/wmltaglib.tld</taglib-uri>
<taglib-location>wmltaglib.tld</taglib-location>


<security-constraint>
<web-resource-collection>
<web-resource-name>Sample Application</web-resource-name>
Require users to authenticate
<url-pattern>*.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
Only allow users role
<role-name>users</role-name>
</auth-constraint>
<user-data-constraint>
Encryption is not required for the application in general.

<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>

</web-app>



4. my login page is




Username:


Password:









The authentication form appears correctly with the session id set in the URL, but if authenticate with
an existing user/password I get the following error


HTTP Status 403 - Access to the requested resource has been denied

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


and nothing is reported in jboss logs.
If I login with a wrong user or wrong password I am redirected to the error page and get the following
errors in the logs:

WRONG USER:
javax.security.auth.login.FailedLoginException: No matching username found in Principals

WRONG PASSWORD:
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

It seems that jboss finds the user and password, but I cannot login anyway...
If I stop the dbms I gets errors showing that database server security module is correctly called by the login procedure and seems to work.
Why can't I authenticate ?




The last two remarks:
1. when I deploy the application I get the following error

javax.management.InstanceAlreadyExistsException: jboss.management.local:J2EEServer=Local,j2eeType=J2EEApplication,name=Neutwork.ear already registered.
at org.jboss.mx.server.registry.BasicMBeanRegistry.add(BasicMBeanRegistry.java:617)
at org.jboss.mx.server.registry.BasicMBeanRegistry.registerMBean(BasicMBeanRegistry.java:198)
at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)

I don't know if this has something to do with my problem and where this last one comes from and how I can solve it.

2. if I switch to BASIC login I have the same problem.


thanks in advance and sorry for beeing long ;-)


ciao francesco