1 Reply Latest reply on Feb 20, 2007 3:22 AM by smeaggie

    Is there a tutorial on form-based login using JAAS on JBoss?

    zzztimbo
    zzztimbo Feb 9, 2007 5:52 PM

      I would like to secure my web application with a form based login. I do not want to use the browser pop up login box.

      Is there a tutorial or example out there that I can follow?

      • 2991 Views
      • Tags:
        • 1. Re: Is there a tutorial on form-based login using JAAS on JB
          smeaggie
          smeaggie Feb 20, 2007 3:22 AM (in response to zzztimbo)

          yes there is, I just posted this one somewhere else around here too, it uses a database as username/password storage:

          1) setup the connection to the database. put a "database-ds.xml" file in the deploy directory wich contains something like:

          <datasources>
 <local-tx-datasource>
 <jndi-name>exampleDS</jndi-name>
 <connection-url>jdbc:postgresql://127.0.0.1:5432/example</connection-url>
 <driver-class>org.postgresql.Driver</driver-class>
 <user-name>ex</user-name>
 <password>_______</password>
 <min-pool-size>5</min-pool-size>
 <max-pool-size>20</max-pool-size>
 <metadata>
 <type-mapping>PostgreSQL 7.2</type-mapping>
 </metadata>
 </local-tx-datasource>
</datasources>

          make sure you enter the correct driver, connection string etc. Now open login-config.xml in the server's conf/ directory. you need to define a security domain here. add this to the file: 
          <application-policy name = "exampleDomain">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 <module-option name = "dsJndiName">java:/exampleDS</module-option>
 <module-option name = "principalsQuery">SELECT PASSWD FROM USERS WHERE USERID=?</module-option>
 <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM ROLES WHERE USERID=?</module-option>
 </login-module>
 </authentication>
</application-policy>

          note the definition "exampleDomain" and how the dsJndiName is set to java:/exampleDS. exampleDS comes from the database connection definition above! the two queries in this file mean the following: the principalsQuery should return the password of the user where userid is the name the user entered in the login form. The rolesQuery must return all roles associated with the username. So it's time to create two tables in your database, with at least this info: 
          table USERS
+-------------------------------------+
| userid | passwd |
+-------------------------------------+
| test | secret |
+-------------------------------------+

table ROLES
+-------------------------------------+
| userid | roleid |
+-------------------------------------+
| test | admin |
| test | manager |
+-------------------------------------+

          (don't mind the ascii art)

          we've created a user "test" with the password "secret" and the roles "admin" and "manager".

          time to secure the web application, open up jboss-web.xml (from the WEB-INF directory) and put this in it: 
          <?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
 <security-domain>java:/jaas/exampleDomain</security-domain>
 <context-root>/example</context-root>
</jboss-web>

          this sets the security domain for the web application to "exampleDomain" wich is declared in the login-config.xml above! jboss now knows wich login module configuration applies to this application.
          now edit web.xml (also in the WEB-INF directory) and add this: 
           <security-constraint>
 <display-name>manager</display-name>
 <web-resource-collection>
 <web-resource-name>manager_pages</web-resource-name>
 <description/>
 <url-pattern>/manager/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description/>
 <role-name>manager</role-name>
 </auth-constraint>
 <user-data-constraint>
 <description/>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <security-constraint>
 <display-name>admin</display-name>
 <web-resource-collection>
 <web-resource-name>admin_pages</web-resource-name>
 <description/>
 <url-pattern>/admin/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description/>
 <role-name>admin</role-name>
 </auth-constraint>
 <user-data-constraint>
 <description/>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <login-config>
 <auth-method>FORM</auth-method>
 <realm-name>example</realm-name>
 <form-login-config>
 <form-login-page>/login.html</form-login-page>
 <form-error-page>/login_error.html</form-error-page>
 </form-login-config>
 </login-config>

 <security-role>
 <description/>
 <role-name>admin</role-name>
 </security-role>
 <security-role>
 <description/>
 <role-name>manager</role-name>
 </security-role>

          this defines two security constraints: one for everything behind /manager (where only users with the "manager" role are allowed) and one for admins, everything behind /admin.

          the login pages (login.html and login-error.html) should look like this: 
          <html>
<body>
 <form action="j_security_check" method="post">
 <input type="text" name="j_username"><br>
 <input type="password" name="j_password"><br>
 <input type="submit" value="login">
 </form>
</body>
</html>


          hope this helps!

            • Actions