3 Replies Latest reply on Feb 14, 2007 4:30 AM by wonker

    form based authentication not working under JBoss 4.0.5 but

    wonker

      I am having trouble with jaas and jboss under JBoss 4.0.5 (does work in 3.2.5).

      When I try to access a protected resource, I should and do get redirected to the login page (j_security_check enabled) and I do, but logging in gives me a 404:

      http://host/admin/action/Home ->
      http://host/admin/Login.jsp ->
      http://host/j_security_check;jsessionid=1 (404)

      With JBoss 3.2.5 when I try and access the protected resource I get sent to the login page, but it has a session id appended to it and it works fine (I get sent to the resource):
      http://host/admin/action/Home ->
      http://host/admin/Login.jsp;jsessionid=2 ->
      http://host/admin/action/Home;jsessionid=2

      The intresting thing is, when I handcraft the login url for 4.0.5 to be like the 3.2.5 one is works:
      http://host/admin/action/Home ->
      http://host/admin/Login.jsp ->
      http://host/j_security_check;jsessionid=3 (404)
      
      http://host/admin/Login.jsp;jsessionid=3 (I know sessionId I so can construct url) ->
      http://host/admin/action/Home;jsessionid=3

      I have checked the forum posts and can't see anything of note. I have added my config below but it works in a way as when I handcraft the url, it works fine.

      Anyone have any idea? Cheers in advance.

        • 1. Re: form based authentication not working under JBoss 4.0.5
          wonker

          Bugger, forgot the confgs, sorry:

          *** Login.jsp ***
          
          <FORM method="POST" name="j_security_check" action='<%=response.encodeURL("j_security_check") %>'>
           <input type="text" name="j_username">
           <input type="password" name="j_password">
           <input type="submit" value="Log In">
          </FORM>
          
          *** web.xml ***
          
          <security-constraint>
           <web-resource-collection>
           <web-resource-name>Admin Tool</web-resource-name>
           <description>The Admin site</description>
           <url-pattern>/action/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
           </web-resource-collection>
           <auth-constraint>
           <role-name>Admin System</role-name>
           </auth-constraint>
          </security-constraint>
          <login-config>
           <auth-method>FORM</auth-method>
           <realm-name>ADMIN</realm-name>
           <form-login-config>
           <form-login-page>/Login.jsp</form-login-page>
           <form-error-page>/Login.jsp?error=true</form-error-page>
           </form-login-config>
          </login-config>
          <security-role>
           <role-name>Admin System</role-name>
          </security-role>
          
          *** jboss-web.xml ***
          
          <jboss-web>
           <context-root>/admin</context-root>
           <security-domain>java:/jaas/admin-profile</security-domain>
          </jboss-web>
          
          *** login-config.xml ***
          
          <application-policy name="admin-profile">
           <authentication>
           <login-module code="foo.bar.jaas.spi.LdapLoginModule" flag="required">
           <module-option name="noauth">false</module-option>
           <module-option name="debug">false</module-option>
           <module-option name="principalClass">foo.bar.jaas.AdminPrincipal</module-option>
           </login-module>
           </authentication>
          </application-policy>


          • 2. Re: form based authentication not working under JBoss 4.0.5
            wonker

            Also worth a mention is that, under 3.2.5 when I request a protected resource JBoss issues a 302 which sends me to the login page with the sessionid etc.

            Although under 4.0.2 no 302 is issued.

            • 3. Re: form based authentication not working under JBoss 4.0.5
              wonker

              The problem was that the FormAuthenticator class under 3.2.5 used a Response.sendRedirect() to get me to my login page, which issues a 302.

              Whereas under 4.0.5, the class uses RequestDispatcher.forward() to get me to the login page, which issues no such 302, therefore causing me to have a 404 error on form submission.