6 Replies Latest reply on Jan 21, 2011 9:21 AM by cibik

    JAAS : Form Based Authentication Problem

    gotoharry

      Hi I am developing a simple authentication application to know about the JAAS implementation in JBoss using the DatabaseServerLoginModule. My flow goes like this.

      Iam having the following tables in Oracle
      CREATE TABLE Users(username VARCHAR(64) PRIMARY KEY, passwd VARCHAR(64))
      CREATE TABLE UserRoles(username VARCHAR(64), userRoles VARCHAR(32))

      Sample values
      ==========
      INSERT INTO Users VALUES(?j2ee?,?j2ee?)
      INSERT INTO UserRoles VALUES(?j2ee?,?j2ee?)

      I have created an XA Datasource for Oracle in JBoss 4.0.1.

      My other configurations and code goes like this

      login-config.xml
      ===========
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "dsJndiName">jdbc/OracleDS</module-option>
      <module-option name="principalsQuery"> select passwd from Users where username=? </module-option>
      <module-option name="rolesQuery"> select userRoles,'Roles' from UserRoles where username=? </module-option>

      </login-module>

      </application-policy>

      jboss-web.xml
      ==========
      <jboss-web>
      <security-domain>java:/jaas/jbossmq</security-domain>
      </jboss-web>

      web.xml
      ======
      <web-app>
      <welcome-file-list>
      <welcome-file>home.jsp</welcome-file>
      </welcome-file-list>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Html</web-resource-name>
      An example security config
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>j2ee</role-name>
      </auth-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>jbossmq</realm-name>
      <form-login-config>
      <form-login-page>/logon.jsp</form-login-page>
      <form-error-page>/logon.jsp?errors=true</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      <role-name>j2ee</role-name>
      </security-role>
      </web-app>

      logon.jsp
      ======
      I use a JSP where i have two text fields j_username and j_password and map the form action to "j_security_check" as specified by SUN.

      I assume that <form-login-page>/logon.jsp</form-login-page> will override loading the pages in the <welcome-file-list> and upon successful authentication the first page in the <welcome-file-list> is fetched.

      When I access this application from my browser i get the logon.jsp to enter the user name and password. Here when i give an invalid username and password it takes me to the error page i have configured in web.xml. But when i give a valid username and password, my browser reports

      HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser

      I am getting this error both with Mozilla Firefox and Internet Explorer. So i assume that it might not be any browser issue.

      I am not getting any error messages in my JBoss console as well. Please tell me what could be the case for this. Thank you!

      - Hari

        • 1. Re: JAAS : Form Based Authentication Problem
          bvgone

           

          "gotoharry" wrote:

          HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser

          I have an identical problem :(
          I already looked in google, but no resolution found!

          • 2. Re: JAAS : Form Based Authentication Problem
            leeson1125

             

            "gotoharry" wrote:

            jboss-web.xml
            ==========
            <jboss-web>
            <security-domain>java:/jaas/jbossmq</security-domain>
            </jboss-web>

            - Hari

            <jboss-web>
            <security-domain>java:/jaas/jbossmq</security-domain>
            <resource-ref>
            <res-ref-name>jdbc/xxxxx</res-ref-name>
            <res-type>javax.sql.DataSource</res-type>
            <jndi-name>java:/xxx</jndi-name>
            </resource-ref>
            </jboss-web>

            • 3. Re: JAAS : Form Based Authentication Problem
              bvgone

              Did it work?
              My case isn't quite equal as Hari, I'm not using JBOSS!
              I have a web application on Tomcat using JAAS, and I got the same error as Hari.
              Any help for me?

              Thanks..

              • 4. Re: JAAS : Form Based Authentication Problem
                bap840

                Did anyone ever figure this out. I just downloaded jboss as well as the dukes bank tutorial. Everything works until I try to log in with the web client, then I get the 408. This happens using IE and netscape, as well as a .properties login or a database login. Please help!!!

                thanks,

                • 5. Re: JAAS : Form Based Authentication Problem
                  albert....

                  This error happens when the time between the request of a protected resource (and so, the presentation of the login form) and the submit to the j_security_check is greater than the session timeout value.

                  The internal mechanism of Tomcat stores the original request into the session...so, if the session has expired or invalidated, Tomcat cant know where to redirect and then raise that timeout error.

                  The default value of session invalidation in tomcat is 30 minutes.

                  Another cause can be an explicit session invalidation by calling httpsession.invalidate() ... perhaps in the logon.jsp??

                  Regards

                  • 6. Re: JAAS : Form Based Authentication Problem
                    cibik

                    Simple workaroud which worked for us was to invalidate session timeout on login page by calling

                     

                    <% request.getSession().setMaxInactiveInterval(-1); %>

                     

                    and recover it back to original value after loging back to application.