Losing my principals.
jonhurwitz Apr 20, 2005 12:32 PMFirst, sorry if this is a variation of an old problem. I'm new at this and not all the documentation is making sense yet.
I'm trying to get some basic authentication set up. I'm using jboss3.2.2/tomcat (but I'm happy to upgrade if needed) and jdk1.4. My main objective is to know who is using the application so I can provide variable pages. I want people to log in when they hit the first page (whichever they go for) in the application and all pages will then render differently using programmatic code accessed from the jsp.
My problem is that whenever I call down to a service provided by a session ejb, the principal is lost. I can't access it from the session context and on return it's no longer available to the httpServletRequest. I'm using the same security domain name at both levels and have tried it with BASIC and FORM authorization methods. As long as I'm just moving from page to page (using struts), everything is fine.
I'm not sure what you guys will need to see. The configuration for FORM uses SSL for the login page, but the BASIC one doesn't even do that. The config I used for BASIC is:
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>AllJSPs</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>everyone</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>User-Basic-Authentication</realm-name>
</login-config>
<security-role>
The role required to access restricted content
<role-name>everyone</role-name>
</security-role>
(To force everyone to log on immediately)
jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/User-Basic-Authentication</security-domain>
</jboss-web>
jboss.xml
<security-domain>java:/jaas/User-Basic-Authentication</security-domain>
jboss-service.xml
jboss.security:service=XMLLoginConfig
login-config.xml
<!-- JAAS security manager and realm mapping -->
org.jboss.security.plugins.JaasSecurityManager
jboss-service.xml (in the -tomcat41.sar\meta-inf subdirectory)
<!-- A HTTP/1.1 Connector on port 8082 -->
login-conf.xml
<application-policy name = "User-Basic-Authentication">
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
Any thoughts or pointers would be much appreciated.
Cheers,
Jon