2 Replies Latest reply on Jul 2, 2004 10:43 AM by gortz

    Securing my .war-file

    gortz

      Hi!

      I have a problem securing my .war-file. I've read the JAAS howto but still don't get it working. What I want is the BASIC authorization where one should be forwarded to the index.html file if authorized. On the contrary as it is now I always get the index.html file after typing whatever in the BASIC-loginform.

      My web.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
      <web-app>
      <display-name>Twin Factor Demo</display-name>


      <servlet-name>snip</servlet-name>
      <servlet-class>com.snip.portlet.EchoPortletServlet</servlet-class>


      <servlet-mapping>
      <servlet-name>snip</servlet-name>
      <url-pattern>/snip/*</url-pattern>
      </servlet-mapping>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>snip</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>view</role-name>
      </auth-constraint>

      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>snip</realm-name>
      </login-config>

      <security-role>
      <role-name>view</role-name>
      </security-role>

      </web-app>

      My jboss-web.xml:

      <jboss-web>
      <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.-->
      <security-domain>java:/jaas/tfportlets</security-domain>

      </jboss-web>

      My login-config.xml:

      <?xml version="1.0"?>
      <!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      <!-- Used by clients within the application server VM such as
      mbeans and servlets that access EJBs.
      -->
      <application-policy name = "client-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="unauthenticatedIdentity">anonymous</module-option>
      </login-module>

      </application-policy>

      <!-- Fjant security domain -->
      <application-policy name = "fjant">

      <login-module code = "com.fjant.LoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      <!-- snip security domain -->
      <application-policy name = "snip">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"/>

      </application-policy>

      <!-- Security domain for JBossMQ -->
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
      </login-module>

      </application-policy>

      <!-- Security domains for testing new jca framework-->
      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "FirebirdDBRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sysdba</module-option>
      <module-option name = "userName">sysdba</module-option>
      <module-option name = "password">masterkey</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "JmsXARealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
      </login-module>

      </application-policy>

      <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.

      <application-policy name = "jmx-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>
      -->

      <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
      <application-policy name = "web-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>
      -->

      <!-- The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      -->
      <application-policy name = "other">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,
      unauthenticatedIdentity="nobody"
      -->

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>




      I've also placed my users.properties and roles.properties in both the root of the .war file and in /WEB-INF/classes, just in case.

      I've tried changing everything I can think of but still don't get it.

        • 1. Re: Securing my .war-file
          stueccles

          i think your first problem is that your security-domain of java:/jaas/tfportlets in jboss-web.xml doesnt exist in your login-config. Concequently it is delegating to "other" domain which always lets you through.

          I do believe that the "realm" in web.xml really doesnt matter as jboss imposes one realm which delegates to the JBossSecurityManager which uses the Jaas realm from jboss-web

          so try changing jboss-web.xml to

          <jboss-web>

          <security-domain>java:/jaas/snip</security-domain>

          </jboss-web>

          Also i dont think you will get your expected behaviour from web security. You should always get the page you request after authentication rather than being forwarded to index.html. but this might be the behaviour you want

          Stuart Eccles

          • 2. Re: Securing my .war-file
            gortz

            I've changed it from tfportlets to snip but still isn't working.

            What do you mean by one should always get the page requested? not if you aren't authenticated?