Web Container Security in JBoss 4.0.1
gkagka Dec 21, 2005 3:16 PMI am trying to use Web Container Security to protect the content for one of my applications running on JBoss 4.0.1 and MySQL environment. Below are the details of my application/environment.
The application deploys without any errors. When I access a page under protected folder (http://localhost:8080/jsf-etc/protected/about.html), it presents the login form (LoginForm.html). And if I type wrong login information, say admin/abc, it shows LoginError.html. Which is correct.
Problem: When I provide correct login information, admin/admin or gka/gka, it returns 403 status message shown below. What's missing or wrong here?
Any help will be appreciated. Thanks in advance.
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
Apache Tomcat/5.0.28
Application: jsf-etc.ear
------------------------
META-INF/MANIFEST.MF
META-INF/application.xml
META-INF/jboss-app.xml
jsf-etc-login-config.xml
jsf-etc-login-service.xml
jsf-etc.war
application.xml
---------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC
"-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN"
"http://java.sun.com/dtd/application_1_3.dtd">
<display-name>JSF ETC</display-name>
JSF ETC
<web-uri>jsf-etc.war</web-uri>
<context-root>jsf-etc</context-root>
jboss-app.xml
-------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-app PUBLIC
"-//JBoss//DTD J2EE Application 1.4//EN"
"http://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
<jboss-app>
jsf-etc-login-service.xml
</jboss-app>
jsf-etc-login-config.xml
------------------------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">
<application-policy name="jsfetc">
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="unauthenticatedIdentity">rhdb</module-option>
<module-option name="dsJndiName">java:/MySqlDS</module-option>
<module-option name="principalsQuery">
select password from principals where username=?
</module-option>
<module-option name="rolesQuery">
select role, groupname from roles where username=?
</module-option>
</login-module>
</application-policy>
jsf-etc-login-service.xml
-------------------------
<?xml version="1.0" encoding="UTF-8"?>
jsf-etc-login-config.xml
<depends optional-attribute-name="LoginConfigService">
jboss.security:service=XMLLoginConfig
<depends optional-attribute-name="SecurityManagerService">
jboss.security:service=JaasSecurityManager
Web Module: jsf-etc.war
-----------------------
META-INF/MANIFEST.MF
WEB-INF/lib/jsp-api.jar
WEB-INF/lib/jstl.jar
WEB-INF/lib/standard.jar
WEB-INF/jboss-web.xml
WEB-INF/web.xml
LoginError.html
LoginForm.html
index.html
protected/safe.html
jboss-web.xml
-------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 2.4//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
<jboss-web>
<security-domain flushOnSessionInvalidation="false">java:/jaas/jsfetc</security-domain>
<context-root>jsf-etc</context-root>
<security-role>
<role-name>admin</role-name>
<principal-name>admin</principal-name>
</security-role>
</jboss-web>
web.xml
-------
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
Security constraint for "protected" folder
<url-pattern>/protected/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
Only 'admin' can login
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
No SSL yet
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
Secure Role
<role-name>admin</role-name>
</security-role>
</web-app>
LoginForm.html
--------------
Login Form
<h1>Login Form</h1>
Username:
Password:
Database tables in localhost/rhdb database
------------------------------------------
select * from principals;
+----------+----------+
| username | password |
+----------+----------+
| gka | gka |
| admin | admin |
+----------+----------+
select * from roles;
+----------+-------+-----------+
| username | role | groupname |
+----------+-------+-----------+
| gka | admin | any |
| admin | admin | dontcare |
+----------+-------+-----------+
mysql-ds.xml in jboss-4.0.1\server\default\deploy folder
--------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<local-tx-datasource>
<jndi-name>MySqlDS</jndi-name>
<connection-url>jdbc:mysql://localhost:3306/rhdb</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<user-name>rhdb</user-name>
rhdb
<exception-sorter-class-name>
org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter
</exception-sorter-class-name>
<type-mapping>mySQL</type-mapping>
</local-tx-datasource>