I had login.html with







and my application deployed.

However, if I tried to login, it shows
http://localhost:8080/projectname/j_security_check on the url and
doesn't do anything.

What am I missing here ?

Also, I thought I configured JAAS using jboss documentation, but I'm not sure if I did it correctly. What do I have to do except modifying web.xml, ejb-jar.xml, jboss.xml, jboss-web.xml, login-config.xml ?

Another question. Does role-name has to be exactly the same as the result from rolesQuery in login-config.xml ?

I really appreciate the help.
Thank you



My login-config.xml under jboss/server/default/conf looks like the following.

<application-policy name = "projectname">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:/MySqlDS</module-option>
<module-option name="principalsQuery">
select password from employees where username=?
</module-option>
<!-- second column of the following query has to be 'Roles' -->
<module-option name="rolesQuery">
select management, 'Roles' from employees where username=?
</module-option>

<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>

</login-module>

</application-policy>

And I have only one line

<security-domain>java:/jaas/project</security-domain>

in jboss.xml and jboss-web.xml.

Also, in my web.xml I have the following.

<security-constraint>
<web-resource-collection>
<web-resource-name>secure content</web-resource-name>
Declarative security test
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>supervisor</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-role>
The role required to access restricted content
<role-name>supervisor</role-name>
</security-role>

<!-- ... -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>The Restricted Zone</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>


Do I have to put <ejb-ref> here ? I didn't think so.

Also in my ejb-jar.xml, I have the following.


<ejb-name>Supervisor</ejb-name>
<local-home>ejb.session.SupervisorLocalHome</local-home>
ejb.session.SupervisorLocal
ejb.session.SupervisorRemoteHome
ejb.session.SupervisorRemote
<ejb-class>ejb.session.Supervisor</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>

<ejb-local-ref>
<ejb-ref-name>Employees</ejb-ref-name>
<ejb-ref-type>Entity</ejb-ref-type>
<local-home>ejb.employee.EmployeeLocalHome</local-home>
ejb.employee.EmployeeLocal
<ejb-link>Employees</ejb-link>
</ejb-local-ref>

<security-identity>
<run-as>
<role-name>supervisor</role-name>
</run-as>
</security-identity>

<security-role-ref>
<role-name>SupervisorRole</role-name>
<role-link>supervisor</role-link>
</security-role-ref>


<assembly-descriptor>

<!-- declare logical roles -->
<security-role>

This role represents everyone who is allowed access
to the Employee EJB.

<role-name>employee</role-name>
</security-role>

<security-role>

This role represents supervisor who is allowed full accessto all the EJBs.

<role-name>supervisor</role-name>
</security-role>

<method-permission>
<role-name>supervisor</role-name>

<ejb-name>Employees</ejb-name>
<method-name>*</method-name>

</method-permission>

<method-permission>
<role-name>supervisor</role-name>

<ejb-name>Supervisor</ejb-name>
<method-name>*</method-name>

</method-permission>

<container-transaction>

<ejb-name>Employees</ejb-name>
<method-name>*</method-name>

<trans-attribute>Required</trans-attribute>
</container-transaction>

</assembly-descriptor>

Thank you for all the help. I made it work.