5 Replies Latest reply on Mar 3, 2006 9:53 PM by j2ee_junkie

Web Application JAAS and JBOSS Configuration

dm1000 Mar 3, 2006 9:10 AM

Hello,

I'm developing a web application using the struts Framework and Jboss. For authentification and authorization I'd like to use JAAS in a declarative way.
Up to now I've done the following steps:

Editing the web.xml

 <security-constraint>
 <web-resource-collection>
 <web-resource-name>ProtectedFolder</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>admin</role-name>
 </auth-constraint>
 </security-constraint>

....

<login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
 <form-login-page>/form/index.jsp</form-login-page>
 <form-error-page>/error.jsp</form-error-page>
 </form-login-config>
 </login-config>

and building the login-form:

<html:form action="j_security_check">
 <table border="0">
 <tr>
 <td><bean:message key="label.login.name"/></td>
 <td><html:text property="j_username" /></td>
 </tr>
 <tr>
 <td><bean:message key="label.login.password"/></td>
 <td><html:password property="j_password" /></td>
 </tr>
 <tr>
 <html:errors/>
 <td colspan="2" align="center"><html:submit/><html:cancel/></td>
 </tr>
 </table>

I've read some documentations, but I don't now how to proceed. I know that i have to write a LoginModule. I'll use the UsernamePasswordLoginModule. The passwords and usernames are in a database. Can I put the queries in the login() method?

Another question is where i have to put this module and what else i have to do?

Thank you very much!

Daniel

1. Re: Web Application JAAS and JBOSS Configuration

j2ee_junkie Mar 3, 2006 9:21 AM (in response to dm1000)

Daniel,

Do not forget to declare your security role admin in your web.xml file using the security-role element.

2.) You do not have to write a login module. Look at org.jboss.security.auth.spi.DatabaseServerLoginModule.

3.) You need to specify to JBoss that your web application should be secured by setting the security-domain element in your jboss-web.xml file.

4.) If you are securing EJB's you need to configure those as well.

Read chapter 8 of the server guide at http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html

have fun, cgriffith
Actions
2. Re: Web Application JAAS and JBOSS Configuration

dm1000 Mar 3, 2006 9:58 AM (in response to dm1000)

Thank you so far!
I have now generated the jboss-web.xml and the login-config.xml files.
But where i have to put them. If i put them into my WEB_INF folder the Jboss Server did not find them.

Greetings
Daniel

PS: no EJB's involved;)
Actions
3. Re: Web Application JAAS and JBOSS Configuration

j2ee_junkie Mar 3, 2006 10:09 AM (in response to dm1000)

You really should read the server guide, but just to kick start you...

The jboss-web.xml should be in your war's WEB-INF directory. The contents of the login-config.xml file gets added to ${SERVER}/conf/login-config.xml file.

cgriffith
Actions
4. Re: Web Application JAAS and JBOSS Configuration

dm1000 Mar 3, 2006 8:59 PM (in response to dm1000)

Now I've read the documentation carefully;)

But now I've antother problem. I use Struts and the framework intercepts all action, even the j_security_check action. So there no possibility to log in via this mechanism?

I also authenticated the user manually via lc.login (). But then i cannot use the request.isUserInRole() method.

Does anybody now how you can approach to this problem?
Actions
5. Re: Web Application JAAS and JBOSS Configuration

j2ee_junkie Mar 3, 2006 9:53 PM (in response to dm1000)

You do not need to worry about Struts intercepting an HTML form posting to 'j_security_check'. Tomcat container will intercept this request. You do need to read the Stuts documentation on how security is handled by ActionServlet. I do not remember the details.

good luck, cgriffith
Actions

Go to original post