-
1. Re: how to test form-based security using jaas, mysql set up
ricardoarguello Feb 25, 2005 3:42 PM (in response to choikim)You need to add a login page for your web application:
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html
Note that the Realm references don't apply. You need to configure JAAS instead.
Ricardo -
2. Re: how to test form-based security using jaas, mysql set up
choikim Feb 25, 2005 6:11 PM (in response to choikim)I had login.html with
and my application deployed.
However, if I tried to login, it shows
http://localhost:8080/projectname/j_security_check on the url and
doesn't do anything.
What am I missing here ?
Also, I thought I configured JAAS using jboss documentation, but I'm not sure if I did it correctly. What do I have to do except modifying web.xml, ejb-jar.xml, jboss.xml, jboss-web.xml, login-config.xml ?
Another question. Does role-name has to be exactly the same as the result from rolesQuery in login-config.xml ?
I really appreciate the help.
Thank you
My login-config.xml under jboss/server/default/conf looks like the following.
<application-policy name = "projectname">
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:/MySqlDS</module-option>
<module-option name="principalsQuery">
select password from employees where username=?
</module-option>
<!-- second column of the following query has to be 'Roles' -->
<module-option name="rolesQuery">
select management, 'Roles' from employees where username=?
</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
</login-module>
</application-policy>
And I have only one line
<security-domain>java:/jaas/project</security-domain>
in jboss.xml and jboss-web.xml.
Also, in my web.xml I have the following.
<security-constraint>
<web-resource-collection>
<web-resource-name>secure content</web-resource-name>
Declarative security test
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>supervisor</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
The role required to access restricted content
<role-name>supervisor</role-name>
</security-role>
<!-- ... -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>The Restricted Zone</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
Do I have to put <ejb-ref> here ? I didn't think so.
Also in my ejb-jar.xml, I have the following.
<ejb-name>Supervisor</ejb-name>
<local-home>ejb.session.SupervisorLocalHome</local-home>
ejb.session.SupervisorLocal
ejb.session.SupervisorRemoteHome
ejb.session.SupervisorRemote
<ejb-class>ejb.session.Supervisor</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<ejb-local-ref>
<ejb-ref-name>Employees</ejb-ref-name>
<ejb-ref-type>Entity</ejb-ref-type>
<local-home>ejb.employee.EmployeeLocalHome</local-home>
ejb.employee.EmployeeLocal
<ejb-link>Employees</ejb-link>
</ejb-local-ref>
<security-identity>
<run-as>
<role-name>supervisor</role-name>
</run-as>
</security-identity>
<security-role-ref>
<role-name>SupervisorRole</role-name>
<role-link>supervisor</role-link>
</security-role-ref>
<assembly-descriptor>
<!-- declare logical roles -->
<security-role>
This role represents everyone who is allowed access
to the Employee EJB.
<role-name>employee</role-name>
</security-role>
<security-role>
This role represents supervisor who is allowed full accessto all the EJBs.
<role-name>supervisor</role-name>
</security-role>
<method-permission>
<role-name>supervisor</role-name>
<ejb-name>Employees</ejb-name>
<method-name>*</method-name>
</method-permission>
<method-permission>
<role-name>supervisor</role-name>
<ejb-name>Supervisor</ejb-name>
<method-name>*</method-name>
</method-permission>
<container-transaction>
<ejb-name>Employees</ejb-name>
<method-name>*</method-name>
<trans-attribute>Required</trans-attribute>
</container-transaction>
</assembly-descriptor> -
3. Re: how to test form-based security using jaas, mysql set up
ricardoarguello Feb 25, 2005 9:34 PM (in response to choikim)I just found this on the Wiki
http://www.jboss.org/wiki/Wiki.jsp?page=Security
Secure EJB and Web Applications:
http://www.csd.abdn.ac.uk/~bscharla/teaching/mtp_software/jboss/secureJBoss.shtml -
4. Re: how to test form-based security using jaas, mysql set up
ricardoarguello Feb 28, 2005 9:19 AM (in response to choikim)Yet another example:
http://www.orbwave.com/cfjboss/2005/02/role-based-security-for-your-web.html
Ricardo -
5. Re: how to test form-based security using jaas, mysql set up
choikim Mar 1, 2005 10:43 AM (in response to choikim)Thank you for all the help. I made it work.