6 Replies Latest reply on Jan 13, 2005 7:51 AM by javiery

403 - Access to the requested resource has been denied

infectedrhythms Nov 14, 2004 11:36 PM

I am trying to set up jass security on my web site and am getting: 403 - Access to the requested resource has been denied.

This is in my login-config.xml...

 <application-policy name = "Mamoth">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
 flag = "required">
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 <module-option name = "dsJndiName">java:/jdbc/MamothDB</module-option>
 <module-option name = "principalsQuery">select Password from users where Username=?</module-option>
 <module-option name = "rolesQuery">select Username, Role from UserRoles where username=?</module-option>
 </login-module>
 </authentication>
 </application-policy>

This is in my web.xml...

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
 <display-name>mamoth Blue</display-name>
 <description>mamoth Blue web site</description>


 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Mamoth</web-resource-name>
 <description>Mamoth Blue security</description>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>Admin</role-name>
 </auth-constraint>
 </security-constraint>


 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Mamoth Blue</realm-name>
 </login-config>

 <security-role>
 <role-name>Admin</role-name>
 </security-role>



 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>

 <resource-ref>
 <description>DB Connection</description>
 <res-ref-name>jdbc/MamothDB</res-ref-name>
 <res-type>javax.sql.DataSource</res-type>
 <res-auth>Container</res-auth>
 </resource-ref>


 <!--
 //-->
</web-app>

And this is in my jboss-web.xml...

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtds/jboss-web_3_0.dtd">

<jboss-web>
 <context-root>/mamoth</context-root>
 <security-domain>java:/jaas/Mamoth</security-domain>
 <resource-ref>
 <res-ref-name>jdbc/MamothDB</res-ref-name>
 <jndi-name>java:/jdbc/MamothDB</jndi-name>
 </resource-ref>
</jboss-web>

Any ideas? Thanks!

1. Re: 403 - Access to the requested resource has been denied

infectedrhythms Nov 15, 2004 12:40 AM (in response to infectedrhythms)

It seems to be working some what! I get the 403 error only when I enter the correct username and password... If not the browser will keep asking me to enter username and password!
Actions
2. Re: 403 - Access to the requested resource has been denied

runeteigen Nov 15, 2004 6:52 AM (in response to infectedrhythms)

Perhaps you need to look at your rolesQuery. The result-set from this query should return role-name and role-group-name (which I have hard-coded to 'Roles').

So maybe you could try something like:
select RoleName, 'Roles' from UserRoles where username=?
Actions
3. Re: 403 - Access to the requested resource has been denied

infectedrhythms Nov 15, 2004 4:42 PM (in response to infectedrhythms)

I opened up the src for the DatabaseServerModule and I copied the queries exactly. I even made sure to structure my db the same way.

Yet same problem... I can enter invalid user name and password all day, but one I enter the right username and password I get the 403 error... So it does seem to authenticate. I also checked the logs no eceptions thrown...
Actions
4. Re: 403 - Access to the requested resource has been denied

tschraepen Nov 16, 2004 2:29 AM (in response to infectedrhythms)

This might be a stupid question, but did you check if the role that is returned matches the user's role?
I'm not sure if it's case-sensitive.
Actions
5. Re: 403 - Access to the requested resource has been denied

infectedrhythms Nov 16, 2004 8:42 AM (in response to infectedrhythms)

Is there a way I can debug the module or do I have to recompile it?
Actions
6. Re: 403 - Access to the requested resource has been denied

javiery Jan 13, 2005 7:51 AM (in response to infectedrhythms)

This is the solution.

I have something like: select RoleName, 'roles' from UserRoles where username=?

'roles' don't work, 'Roles' works. Is case sensitive...

"runeteigen" wrote:
Perhaps you need to look at your rolesQuery. The result-set from this query should return role-name and role-group-name (which I have hard-coded to 'Roles').

So maybe you could try something like:
select RoleName, 'Roles' from UserRoles where username=?
Actions

Go to original post