5 Replies Latest reply on Jul 18, 2005 8:49 AM by jbrosan

    Can't DatabaseServerLoginModule and SSO to work with web-app

    jbrosan

      Hello everyone,

      I am using JBoss 4.0.2 w/Tomcat 5.5.9 (integrated) along with jTDS and SQLServer for a project.

      I would like to use DatabaseServerLoginModule and single sign-on. I've created the approprite tables in my database for users and roles. I've created simple jsp pages for login and login error. I've also modified my login-config.xml, jboss-web.xml and web.xml to handle the security. I am using the Tomcat valve for singlesignon.

      However, when I test the protected resource with a valid userid and password, I get a 403 error message. If I try to login with an invalid userid and password, I get the error jsp that I created.

      This tells me that I am authenticating the user, but I am probably screwing something up with the roles as I cannot get access to the restricted resource even with the correct userid and password.

      What I am trying to accomplish is

      1. Authenticate a user against the database tables for userid and appropriate roles.

      2. Use a custom error page when the user does not have access to the resource. Uid/pw combo AND role

      3. Use SSO across the various web-apps that will comprise this project. Is it possible or correct for one web-app to handle all of the login/logout processing? If a user tries to access a web-app can that web-app redirect the user to a login page in another web-app? All of these web-apps will be in the same container.

      Any help that could be provided, would be most appreciated.

      Thanks,
      Howler


      Here is my stuff


      web.xml

      
      <?xml version="1.0" encoding="UTF-8"?>
      <web-app version="2.4"
       xmlns="http://java.sun.com/xml/ns/j2ee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
       http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
      
       <resource-ref>
       <res-ref-name>jdbc/DefaultDS</res-ref-name>
       <res-type>javax.sql.DataSource</res-type>
       <res-auth>Container</res-auth>
       </resource-ref>
      
      <security-constraint>
       <web-resource-collection>
       <web-resource-name>A Protected Page</web-resource-name>
       <url-pattern>/greeting.jsp</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       </web-resource-collection>
      
       <auth-constraint>
       <role-name>admin</role-name>
       </auth-constraint>
      
      </security-constraint>
      
      <security-role>
       <role-name>admin</role-name>
      </security-role>
      
      <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/loginerror.jsp</form-error-page>
       </form-login-config>
      </login-config>
      </web-app>
      
      




      login-config.xml

      
      
      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
      
      <!-- The XML based JAAS login configuration read by the
      org.jboss.security.auth.login.XMLLoginConfig mbean. Add
      an application-policy element for each security domain.
      
      The outline of the application-policy is:
      <application-policy name="security-domain-name">
       <authentication>
       <login-module code="login.module1.class.name" flag="control_flag">
       <module-option name = "option1-name">option1-value</module-option>
       <module-option name = "option2-name">option2-value</module-option>
       ...
       </login-module>
      
       <login-module code="login.module2.class.name" flag="control_flag">
       ...
       </login-module>
       ...
       </authentication>
      </application-policy>
      
      $Revision: 1.12.2.2 $
      -->
      
      <policy>
       <!-- Used by clients within the application server VM such as
       mbeans and servlets that access EJBs.
       -->
       <application-policy name = "client-login">
       <authentication>
       <login-module code = "org.jboss.security.ClientLoginModule"
       flag = "required">
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- Security domain for JBossMQ -->
       <application-policy name = "jbossmq">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/DefaultDS</module-option>
       <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
       <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- Security domain for JBossMQ when using file-state-service.xml
       <application-policy name = "jbossmq">
       <authentication>
       <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
       </login-module>
       </authentication>
       </application-policy>
       -->
      
       <!-- Security domains for testing new jca framework -->
       <application-policy name = "HsqlDbRealm">
       <authentication>
       <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
       flag = "required">
       <module-option name = "principal">sa</module-option>
       <module-option name = "userName">sa</module-option>
       <module-option name = "password"></module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <application-policy name = "JmsXARealm">
       <authentication>
       <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
       flag = "required">
       <module-option name = "principal">guest</module-option>
       <module-option name = "userName">guest</module-option>
       <module-option name = "password">guest</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- A template configuration for the jmx-console web application. This
       defaults to the UsersRolesLoginModule the same as other and should be
       changed to a stronger authentication mechanism as required.
       -->
       <application-policy name = "jmx-console">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
       <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- A template configuration for the web-console web application. This
       defaults to the UsersRolesLoginModule the same as other and should be
       changed to a stronger authentication mechanism as required.
       -->
       <application-policy name = "web-console">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="usersProperties">web-console-users.properties</module-option>
       <module-option name="rolesProperties">web-console-roles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- A template configuration for the JBossWS web application (and transport layer!).
       This defaults to the UsersRolesLoginModule the same as other and should be
       changed to a stronger authentication mechanism as required.
       -->
       <application-policy name="JBossWS">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag="required">
       <module-option name="unauthenticatedIdentity">anonymous</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- The default login configuration used by any security domain that
       does not have a application-policy entry with a matching name
       -->
       <application-policy name = "other">
       <!-- A simple server login module, which can be used when the number
       of users is relatively small. It uses two properties files:
       users.properties, which holds users (key) and their password (value).
       roles.properties, which holds users (key) and a comma-separated list of
       their roles (value).
       The unauthenticatedIdentity property defines the name of the principal
       that will be used when a null username and password are presented as is
       the case for an unuathenticated web client or MDB. If you want to
       allow such users to be authenticated add the property, e.g.,
       unauthenticatedIdentity="nobody"
       -->
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required" />
       </authentication>
       </application-policy>
      
       <application-policy name = "mysecurity">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/DefaultDS</module-option>
       <module-option name = "principalsQuery">SELECT sec_user_password FROM SEC_USERS WHERE sec_user_id=?</module-option>
       <module-option name = "rolesQuery">SELECT Role 'Roles', RoleGroup 'RoleGroups' FROM SEC_USER_ROLES WHERE sec_user_id=?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
      </policy>
      



      jboss-web.xml

      
      
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
       <resource-ref>
       <res-ref-name>jdbc/DefaultDS</res-ref-name>
       <res-type>javax.sql.DataSource</res-type>
       <res-auth>Container</res-auth>
       </resource-ref>
      
       <security-domain>java:/jaas/mysecurity</security-domain>
      </jboss-web>
      
      



      I added the following to my log4j.xml file to get logging information.

      
      
      ...
       <category name="org.jboss.security">
       <priority value="TRACE" class="org.jboss.logging.XLevel"/>
       </category>
      ...
      
      


      After checking server.log I see that it looks like I'm getting authenticated and the correct role is being picked up. I'm still not sure why I am getting 403'd on my resource if I've got all of the information and assigned the correct role to the resource.

      
      
      ...
      
      2005-07-07 12:59:10,421 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'jbrosan' authenticated, loginOk=true
      2005-07-07 12:59:10,421 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
      2005-07-07 12:59:10,499 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role admin
      2005-07-07 12:59:10,499 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] updateCache, subject=Subject:
       Principal: jbrosan
       Principal: admin(members:admin)
      
      2005-07-07 12:59:10,499 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1f23ca4[Subject(7037214).principals=[jbrosan, admin(members:admin)],credential.class=java.lang.String@18019860,expirationTime=1120760944684]
      2005-07-07 12:59:10,499 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] End isValid, true
      2005-07-07 12:59:10,514 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
       Principal: jbrosan
       Principal: admin(members:admin)
      , principal=jbrosan
      2005-07-07 12:59:10,514 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1f23ca4[Subject(7037214).principals=[jbrosan, admin(members:admin)],credential.class=java.lang.String@18019860,expirationTime=1120760944684]
      2005-07-07 12:59:10,514 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] getUserRoles, subject: Subject:
       Principal: jbrosan
       Principal: admin(members:admin)
      
      2005-07-07 12:59:10,624 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2005-07-07 12:59:10,624 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
       Principal: jbrosan
       Principal: admin(members:admin)
      , principal=jbrosan
      2005-07-07 12:59:10,639 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
      2005-07-07 12:59:10,639 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
      2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
       Principal: jbrosan
       Principal: admin(members:admin)
      , principal=jbrosan
      2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
      2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
      ...
      


        • 1. Re: Can't DatabaseServerLoginModule and SSO to work with web
          jbrosan

          Well, after much pounding of my head during the last few days, I actually found a solution.

          As it turns out, I needed to remove the security role tag from the web.xml file and place an '*' into the role-name tag.

          It's currently my assumption, that once the user is authenticated, the code would check the user's roles to make sure they could have access to the application.

          
          
          <?xml version="1.0" encoding="UTF-8"?>
          <web-app version="2.4"
           xmlns="http://java.sun.com/xml/ns/j2ee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
           http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
          
           <resource-ref>
           <description>MyApp Datasource</description>
           <res-ref-name>jdbc/DefaultDS</res-ref-name>
           <res-type>javax.sql.DataSource</res-type>
           <res-auth>Container</res-auth>
           <res-sharing-scope>Shareable</res-sharing-scope>
           </resource-ref>
          <security-constraint>
           <web-resource-collection>
           <web-resource-name>MyApplication</web-resource-name>
           <url-pattern>/greeting.jsp</url-pattern>
           <http-method>HEAD</http-method>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
           <http-method>DELETE</http-method>
           </web-resource-collection>
           <auth-constraint>
           <role-name>*</role-name>
           </auth-constraint>
           <user-data-constraint>
           <transport-guarantee>NONE</transport-guarantee>
           </user-data-constraint>
          </security-constraint>
          
          <login-config>
           <auth-method>FORM</auth-method>
           <realm-name>MyRealm</realm-name>
           <form-login-config>
           <form-login-page>/login.jsp</form-login-page>
           <form-error-page>/loginerror.jsp</form-error-page>
           </form-login-config>
          </login-config>
          </web-app>
          


          • 2. Re: Can't DatabaseServerLoginModule and SSO to work with web
            bndct0

            hi howler,

            can you share how you configured the tomcat valve sso and the servlet code for your login.jsp? I can get authenticated but it always asks for the userid/password when I visit the secured pages (even after a successful authentication seconds ago). Thanks.

            I've placed same of the logs I get when I tried to login.

            20:43:54,954 INFO [Engine] SingleSignOn[localhost]: Process request for '/SFC/pages/dieSales.jsp'
            20:43:54,954 INFO [Engine] SingleSignOn[localhost]: Checking for SSO cookie
            20:43:54,954 INFO [Engine] SingleSignOn[localhost]: SSO cookie is not present
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: ---------------------------------------------------------------
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: authType=null
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: contentLength=-1
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: contentType=text/html;charset=ISO-8859-1
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: header=X-Powered-By=Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: message=null
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: remoteUser=null
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: status=200
            20:43:54,954 INFO [Engine] RequestDumperValve[localhost]: ===============================================================


            2005-07-14 20:38:54,091 DEBUG [org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory] Using properties: {user=oltp_test710, password=--hidden--}
            
            2005-07-14 20:38:55,133 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'ftcs' authenticated, loginOk=true
            
            2005-07-14 20:38:55,133 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
            
            2005-07-14 20:38:55,143 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role ftcs
            
            2005-07-14 20:38:55,143 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] logout
            
            2005-07-14 20:38:55,203 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
            
            2005-07-14 20:38:55,213 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
            
            2005-07-14 20:38:55,213 DEBUG [org.jboss.web.tomcat.tc5.session.JBossCacheManager] check to see if needs to store and replicate session with id CAF1yyW2ZhwzU7ACjq2x-w**
            
            2005-07-14 20:38:55,213 DEBUG [org.jboss.web.tomcat.tc5.session.ClusteredSession] processSessionRepl(): session is dirty. Will increment version from: 1 and replicate.


            • 3. Re: Can't DatabaseServerLoginModule and SSO to work with web
              jbrosan

              Hi bndct0

              I would be glad to share. :-)

              All I did was to uncomment the following line in the server.xml file.

              <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
              

              Mine is located at:

              C:\jboss-4.0.2\server\localdev\deploy\jbossweb-tomcat55.sar

              I'm not using clustering or anything fancy like that.

              After getting authenticated and setting up the Tomcat valve, I made sure that any webapps that I wanted under the same security umbrella used the same security context.

              In addition, I added the following to my web.xml
               <login-config>
               <auth-method>FORM</auth-method>
               <realm-name>Myportal</realm-name>
               <form-login-config>
               <form-login-page>/loginredirect.jsp</form-login-page>
               <form-error-page>/loginerrorredirect.jsp</form-error-page>
               </form-login-config>
               </login-config>
              


              This allows me to use a single sign-on page that is stored in my login web-app. (I kept the login web-app seperate from all the others)

              The loginredirect.jsp is as follows:


              <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
              <html>
               <body>
               <c:redirect context="/TuraPortalLogin" url="/greeting.jsp"/>
               </body>
              </html>
              


              The loginerrorredirect.jsp is as follows:

              <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
              <html>
               <body>
               <c:redirect context="/MyPortalLogin" url="/loginerror.jsp"/>
               </body>
              </html>
              


              I use JSTL to handle the redirect between contexts.

              I don't know if you handled logging out yet, but I will post how I did it.

              I created a logout.jsp page that contains the following code:

              Logout.jsp

              <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
              <html>
               <body>
              
              <%
              request.getSession().invalidate();
              response.setHeader("Cache-Control","no-cache");
              response.setHeader("Pragma","no-cache");
              response.setDateHeader ("Expires", 0);
              %>
              
              <c:redirect context="/MyPortalLogin" url="/greeting.jsp"/>
              
               </body>
              </html><a href="/MyPortalLogin/logout.jsp">Logout</a>
              


              This has worked well for me as I can now login/logout from anywhere and when I logout, the user is taken back to the login screen.

              I hope this helps, I'll try to help you anyway I can.

              Thanks,
              John "Howler" Brosan

              • 4. Re: Can't DatabaseServerLoginModule and SSO to work with web
                jbrosan

                Well, I thought that I had this problem resolved, but I really don't.

                It seems that the databaseserverloginmodule is logging me in and getting my roles

                2005-07-15 15:20:22,750 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'jbrosan' authenticated, loginOk=true
                2005-07-15 15:20:22,750 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
                2005-07-15 15:20:22,765 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role DEV
                2005-07-15 15:20:22,765 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role MIS
                



                It seems that the web container is not getting the roles. if I do
                 <%= request.getUserPrincipal().getName() %>
                


                I get the correct principal. But If I try the following:

                <%out.println(request.isUserInRole("DEV")); %>
                


                I get false.

                Here is my most recent login-config.xml

                <?xml version='1.0'?>
                <!DOCTYPE policy PUBLIC
                 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                 "http://www.jboss.org/j2ee/dtd/security_config.dtd">
                
                <!-- The XML based JAAS login configuration read by the
                org.jboss.security.auth.login.XMLLoginConfig mbean. Add
                an application-policy element for each security domain.
                
                The outline of the application-policy is:
                <application-policy name="security-domain-name">
                 <authentication>
                 <login-module code="login.module1.class.name" flag="control_flag">
                 <module-option name = "option1-name">option1-value</module-option>
                 <module-option name = "option2-name">option2-value</module-option>
                 ...
                 </login-module>
                
                 <login-module code="login.module2.class.name" flag="control_flag">
                 ...
                 </login-module>
                 ...
                 </authentication>
                </application-policy>
                
                $Revision: 1.12.2.2 $
                -->
                
                <policy>
                 <!-- Used by clients within the application server VM such as
                 mbeans and servlets that access EJBs.
                 -->
                 <application-policy name = "client-login">
                 <authentication>
                 <login-module code = "org.jboss.security.ClientLoginModule"
                 flag = "required">
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- Security domain for JBossMQ -->
                 <application-policy name = "jbossmq">
                 <authentication>
                 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                 flag = "required">
                 <module-option name = "unauthenticatedIdentity">guest</module-option>
                 <module-option name = "dsJndiName">java:/DefaultDS</module-option>
                 <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
                 <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- Security domain for JBossMQ when using file-state-service.xml
                 <application-policy name = "jbossmq">
                 <authentication>
                 <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
                 flag = "required">
                 <module-option name = "unauthenticatedIdentity">guest</module-option>
                 <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                 -->
                
                 <!-- Security domains for testing new jca framework -->
                 <application-policy name = "HsqlDbRealm">
                 <authentication>
                 <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                 flag = "required">
                 <module-option name = "principal">sa</module-option>
                 <module-option name = "userName">sa</module-option>
                 <module-option name = "password"></module-option>
                 <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <application-policy name = "JmsXARealm">
                 <authentication>
                 <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
                 flag = "required">
                 <module-option name = "principal">guest</module-option>
                 <module-option name = "userName">guest</module-option>
                 <module-option name = "password">guest</module-option>
                 <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- A template configuration for the jmx-console web application. This
                 defaults to the UsersRolesLoginModule the same as other and should be
                 changed to a stronger authentication mechanism as required.
                 -->
                 <application-policy name = "jmx-console">
                 <authentication>
                 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required">
                 <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
                 <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- A template configuration for the web-console web application. This
                 defaults to the UsersRolesLoginModule the same as other and should be
                 changed to a stronger authentication mechanism as required.
                 -->
                 <application-policy name = "web-console">
                 <authentication>
                 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required">
                 <module-option name="usersProperties">web-console-users.properties</module-option>
                 <module-option name="rolesProperties">web-console-roles.properties</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- A template configuration for the JBossWS web application (and transport layer!).
                 This defaults to the UsersRolesLoginModule the same as other and should be
                 changed to a stronger authentication mechanism as required.
                 -->
                 <application-policy name="JBossWS">
                 <authentication>
                 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag="required">
                 <module-option name="unauthenticatedIdentity">anonymous</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                
                 <!-- The default login configuration used by any security domain that
                 does not have a application-policy entry with a matching name
                 -->
                 <application-policy name = "other">
                 <!-- A simple server login module, which can be used when the number
                 of users is relatively small. It uses two properties files:
                 users.properties, which holds users (key) and their password (value).
                 roles.properties, which holds users (key) and a comma-separated list of
                 their roles (value).
                 The unauthenticatedIdentity property defines the name of the principal
                 that will be used when a null username and password are presented as is
                 the case for an unuathenticated web client or MDB. If you want to
                 allow such users to be authenticated add the property, e.g.,
                 unauthenticatedIdentity="nobody"
                 -->
                 <authentication>
                 <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required" />
                 </authentication>
                 </application-policy>
                
                 <application-policy name = "turaportal">
                 <authentication>
                
                 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                 <module-option name = "unauthenticatedIdentity">guest</module-option>
                 <module-option name = "dsJndiName">java:/TuraPortalDS</module-option>
                 <module-option name = "principalsQuery">SELECT sec_user_password,sec_vendor_id_nbr FROM SEC_TURA_USERS WHERE sec_user_id=?</module-option>
                 <!-- <module-option name = "rolesQuery">SELECT Role 'Roles', RoleGroup 'RoleGroups' FROM SEC_TURA_USER_ROLES WHERE sec_user_id=?</module-option> -->
                 <module-option name = "rolesQuery">SELECT Role, RoleGroup as 'Roles' FROM SEC_TURA_USER_ROLES WHERE sec_user_id=?</module-option>
                 </login-module>
                 <!-- <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"></login-module> -->
                 </authentication>
                 </application-policy>
                </policy>
                



                I'm using SQLServer and everything seems to work. The web container just doesnt get the roles.

                Any assistance would be GREATLY appreciated.

                Thanks
                John

                • 5. Re: Can't DatabaseServerLoginModule and SSO to work with web
                  jbrosan

                  My issue is now really resolved. The query for the roles was incorrect.


                  I originally had the following in my login-config.xml

                  <module-option name = "rolesQuery">SELECT Role 'Roles', RoleGroup 'RoleGroups' FROM USER_ROLES WHERE ser_id=?</module-option> -->
                  



                  It should have been:
                  <module-option name = "rolesQuery">SELECT Role, 'Roles' FROM USER_ROLES WHERE user_id=?</module-option>
                  


                  Life is now good! :-D