5 Replies Latest reply on Aug 17, 2005 5:52 AM by mdeyab

New to security in JBoss

mdeyab Aug 15, 2005 11:15 AM

Hi all

I defined a securtiy constraint in the web.xml file that looks like that

<security-constraint>
<web-resource-collection>
<url-pattern>/timesheet/controllers/timesheets/*</url-pattern>
<url-pattern>/Timesheets/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

also I am using the "other" security Realm
with the files

"users.properties" that looks like the following

employee=employee
project manager=project manager
operation manager=operation manager
resource manager=resource manager
manager=manager

and "roles.properties" that looks like the following

employee=employee
project manager=project manager
operation manager=operation manager
resource manager=resource manager
manager=manager

so from my little knowledge the user employee has password employee and the role employee and /Timesheets/* pattern requires role employee

my welcome index file redirects to /Timesheets/Timesheets.do
when I open the timesheet application the index file redirects to Timesheets/Timesheets.do so he asks for login and preview to me the login-form.jsp I enter usernae: employee and password: employee

and here is the problem I excpected to log me in to the timesheets page but instead I have this error page

HTTP Status 403 - User is not authorized to access action /Timesheets/Timesheets
type Status report
message User is not authorized to access action /Timesheets/Timesheets
description Access to the specified resource (User is not authorized to access action /Timesheets/Timesheets) has been forbidden.
Apache Tomcat/5.0.28

can any one tell me what is the problem

Sorry for the long Post

yours,
Mohamed Fthay

1. Re: New to security in JBoss

tremalnaik Aug 15, 2005 12:52 PM (in response to mdeyab)
what did you put in your web.xml as

<login-config> ...... </login-config>
Actions
2. Re: New to security in JBoss

mdeyab Aug 16, 2005 3:45 AM (in response to mdeyab)

I am using form based configuration and I am specifying my "timesheet" Realm which actually is nothing. from my little knowledge I think that JBoss will us the "other" Realm

<login-config>
<auth-method>FORM</auth-method>
<realm-name>timesheet</realm-name>
<form-login-config>
<form-login-page>/login/login-form.jsp</form-login-page>
<form-error-page>/login/login-form.jsp?action=error</form-error-page>
</form-login-config>
</login-config>

Is that ok
Actions
3. Re: New to security in JBoss

tremalnaik Aug 16, 2005 4:04 AM (in response to mdeyab)
Did you try without the tag
<realm-name>timesheet</realm-name>
? I'm not able to say more...
Actions
4. Re: New to security in JBoss

mdeyab Aug 16, 2005 6:30 AM (in response to mdeyab)

yes I tried it the smae problem exist I don't know that the problem is
Actions
5. Re: New to security in JBoss

mdeyab Aug 17, 2005 5:52 AM (in response to mdeyab)

There is something I've noted today

the problem exists only with struts *.do pages but anything else is working fine (i.e. JSP files simple servlets .. etc) only struts *.do actions have the problem.

I thought maybe the struts servlet tries to access some resources that is not authorized to the current user (maybe .. I am not sure).

I want to know if there is any configuration that should be done to the struts servlet

I really need some help guys the due date of my project is so soon

yours,
Mohamed Fathy
Actions

Go to original post