LoginOK, but got 403- access denied
lhg Dec 29, 2003 5:16 PMI am using JAAS DataBaseServerLoginModule to protect my web pages, confirguration seems OK, but with correct userid & password, I still got "HTTP Status 400 - Invalid direct reference to form login page".
I checked all xml files are valid. I wrote a test page found both request.getUserPrincipal() and request.getRemoteUser() returns null after login.
What was the problem?
I am using Jboss3.2.3
this is the log:
17:40:39,717 TRACE [DatabaseServerLoginModule] initialize
17:40:39,733 TRACE [DatabaseServerLoginModule] Passworg hashing activated: algorithm = MD5, encoding = HEX
17:40:39,733 TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/BOADS
17:40:39,733 TRACE [DatabaseServerLoginModule] principalsQuery=SELECT password FROM Users WHERE loginID=?
17:40:39,733 TRACE [DatabaseServerLoginModule] rolesQuery=SELECT role_name, role_desc FROM vUserRole WHERE loginID=?
17:40:39,733 TRACE [DatabaseServerLoginModule] login
17:40:39,748 TRACE [DatabaseServerLoginModule] User 'tester' authenticated, loginOk=true
17:40:39,748 TRACE [DatabaseServerLoginModule] commit, loginOk=true
this is my web.xml: user 'tester' has role 'C'
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area for registed user</web-resource-name>
<url-pattern>/ds/*</url-pattern>
<url-pattern>/index.jsp</url-pattern>
<url-pattern>/home.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
<role-name>B</role-name>
<role-name>C</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>BoARealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>A</role-name>
</security-role>
<security-role>
<role-name>B</role-name>
</security-role>
<security-role>
<role-name>C</role-name>
</security-role>
login-config.xml
<application-policy name = "BoARealm">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
<module-option name="dsJndiName">java:/BOADS</module-option>
<module-option name="principalsQuery">SELECT password FROM Users WHERE loginID=?</module-option>
<module-option name="rolesQuery">SELECT role_name, role_desc FROM vUserRole WHERE loginID=?</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">HEX</module-option>
</login-module>
</application-policy>
jboss-web.xml:
<jboss-web>
<security-domain>java:jaas/BoARealm</security-domain>
</jboss-web>
thanks to any comment.