Wrong LoginModule?
john_anderson_ii Feb 14, 2005 5:03 PMHello all. I'm brand new to JBoss Security and JAAS, so I'll just jump right in here.
I have a simple application and a simple JSP. I want to secure access to the JSP based on a role. The role who should be able to access the JSP (report.jsp) is "userAdmin".
To the jboss-web.xml I've added:
<security-domain>java:/jaas/kickstart</security-domain>
To the web.xml I've added:
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>Allow userAdmin(s) access to report.jsp </description> <url-pattern>/report.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>userAdmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Kickstart</realm-name> </login-config> <security-role> <role-name>userAdmin</role-name> </security-role>
To the login-config.xml I've added:
<application-policy name="kickstart"> <authentication> <login-module code="com.ccbill.kickstart.support.auth.CCBLoginModule" flag="required"> </login-module> </authentication> </application-policy>
The CCBLoginModule code I have added by implementing LoginModule and I'm deploying it with the application (i.e. this code is bundled in the .ear).
When I try to access http://host:443/kickstart/report.jsp I get prompted with a standard login dialogue. However, when I OK that dialoge I don't get authenticated. After looking at the logs I discovered why:
2005-02-14 14:47:04,102 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /kickstart/report.jsp 2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[HtmlAdaptor]' against GET /report.jsp --> true 2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() 2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions 2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.JAASRealm] Authenticating jboss.web admin 2005-02-14 14:47:04,103 DEBUG [org.apache.catalina.realm.JAASRealm] Login context created admin 2005-02-14 14:47:04,111 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=admin 2005-02-14 14:47:04,112 DEBUG [org.apache.catalina.realm.JAASRealm] Username admin NOT authenticated due to failed login 2005-02-14 14:47:04,112 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test 2005-02-14 14:47:08,190 DEBUG [org.apache.coyote.http11.Http11Protocol] IOException reading request
According to the log, specifically "[org.jboss.security.auth.spi.UsersRolesLoginModule]" that line, JBoss is still using UsersRolesLoginModule to authenticate report.jsp. I've looked into it, and it looks like this module is set to fire when the "other" security domain is invoked, but I've deployed my application to use the kickstart security domain. What am I missing in the way of configuration to make JBoss use the kickstart security domain?
Thanks in advance for straightening me out.