2 Replies Latest reply on Dec 11, 2003 8:20 AM by firstrainbow

    when and how the web containger check the user's role

    firstrainbow

      I want to use jaas in struts+jboss3.2.2+tomcat environment. In my login action, I implement the login check. Although in my web.xml I define two security-constriants, each constraints allow a type role to access. But it seems the web container don't check the users role. what can I do to let the container to check the urser roles?
      Any help will be appreciated! thanks in advance!

        • 1. Re: when and how the web containger check the user's role
          anbenham

          Hi,
          i can´t understand why you implement the Login-funktionality in your LoginAction. As a matter of fact, jboss should do the most work for you. For that you need these steps:
          1- You have to secure all of your web-accesses by requiring roles for each servlet/JSP access. You do this in your web.xml: i.e.
          <security-constraint>
          <web-resource-collection>
          <web-resource-name>My App Login</web-resource-name>
          <url-pattern>*.jsp</url-pattern>
          <url-pattern>*.show</url-pattern>
          <url-pattern>*.do</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
          <role-name>authenticated-user</role-name>
          </auth-constraint>
          </security-constraint>

          2-You define a security domain in your jboss-web.xml
          <jboss-web>
          <security-domain>java:/jaas/myDomain</security-domain>
          </jboss-web>

          3-For this domain you define a convenient LoginModule in the login-config.xml (jboss/server/default/conf)
          <application-policy name="myDomain">

          <login-module code="org.jboss.security.ClientLoginModule" flag="required">
          <login-module code="com.anis.MyLoginModule" flag="required"/>

          </application-policy>

          Now the first time a user tries to access a secure resource (JSP/Servlet) the app server uses the defined LoginModule to make the necessary authentitfication, and by success fills the subject with the necessary principals, credentias and roles
          Each time you try to call a secure-ejb method the server makes the security check for you.
          That all folks !
          I hope i could help
          Yours anis




          • 2. Re: when and how the web containger check the user's role
            firstrainbow

            thank you for your help!
            In fact, What I need is when the user loin ,I can get his some other information except his username and password the determine the data scope he can manage. because in my application some user can execute the same function but the function manage the different data scope. I had test using the DatabaseserverLoginMoudle to implement the login.But I found I can't insert my login in the login process. so I wrote my own login logic,But I found my logincontext can't be accessed by web containber and ejb container.
            what can I do? can a custom loginmodule get what I need? maybe somebody has the same experience and give me some help?a good example will be the best!
            Thank you in advance! Wish everybody have a good day!