3 Replies Latest reply on Nov 8, 2004 12:39 PM by starksm64

<role-name> from web.xml && <module-option name="rolesProper

liooil Nov 2, 2004 12:29 PM

Hello world,

Sorry if this question has already been posted here, but i'm quite new
in JBoss, so feel free to forward me to the relevant thread if necessary.

I'm buiding a webapp where users can be distinguished by they role.
I needed to respect JAAS, so 've defined this roles in myWebApp-roles.properties through my login-config-xml.

To protect some features of my app, i want an URL control list. That's i intend to do in my web.xml

The Authentication seems to be allright : i get my subjecvt and my principals ( Roles(members:BasicUser) ).

But i don't have acces to my url :
"GET /myWebApp/action/menuView HTTP/1.1" 302 -

It seems like if the role wasn't shared between my webapp and JBoss?

What's wrong ? What did i forget ?

Please help,

web.xml :
-----------
<security-constraint>
<web-resource-collection>
<web-resource-name>MyWebAppActions</web-resource-name>
MyWebApp actions mappings
<url-pattern>/action/menuView</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>BasicUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

login-config.xml :
-------------------
<application-policy name="myWebApp">

<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="unauthenticatedIdentity">
myAppGuest
</module-option>
<module-option name="usersProperties">
myWebApp-users.properties
</module-option>
<module-option name="rolesProperties">
myWebApp-roles.properties
</module-option>
</login-module>

</application-policy>

myWebApp-roles.properties :
----------------------------------
MyUser=BasicUser

1. Re: <role-name> from web.xml && <module-option name=

starksm64 Nov 4, 2004 9:34 PM (in response to liooil)

A 302 return code is a temporary redirect. This is used when using form authentication to redirect you to the login form.
Actions
2. Re: <role-name> from web.xml && <module-option name=

liooil Nov 8, 2004 9:16 AM (in response to liooil)

I understand that's a redirect redirect because it has been coded in this way in the web.xml file :

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/action/authenticationView</form-login-page>
<form-error-page>/action/authenticationProcess</form-error-page>
</form-login-config>
</login-config>

Dynamicly, i can see the process authentication that succeeds :

1 - /action/authenticationProcess identifies properly the client
i.e, my loginContext works well : i get my subject and my principals

2 - /action/authenticationProcess tries a forward to action/menuView

3 - this forward is rejected (our 302 redirect) because this URL is a protected resource (my <security-constraint>)

Maybe the relevant question is how can i map the <role-name> with one of the principals i get from my loginContext ?
Actions
3. Re: <role-name> from web.xml && <module-option name=

starksm64 Nov 8, 2004 12:39 PM (in response to liooil)

A redirect only occurs for authentication failures, not authorization. You map the roles to a user using the roles.properties file as discussed in the JAAS Howto in this forum.
Actions

Go to original post