8 Replies Latest reply on Jul 17, 2007 3:08 PM by purbano

    JAAS, login configuration + Hi everybody

    purbano

      Hello everybody, I've recently been subscribed to this forum, for I wanted to ask a doubt, and possible more will come later (and I hope one day I could answer one).

      I am migrating an application, but I have problems with the login configuration. I use JAAS, an authorization form-based against a custom LoginModule. But login is failing. In myApp/WEB-INF/web.xml, I have:

       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>A name</realm-name>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      


      For the debug messages of the login module, I think authentication is succesful on the server, but I am redirected to login.jsp .

      I have read about the form-based login process and I found the following explanation (with a graphic): http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html#wp483367 . According to that, I should be redirected to the requested resource, or to error.jsp , if I am wrong and the login is actually failing.

      I have tried it with jboss-4.0.2 and jboss-4.2.0 . As you could observe, I am a beginner that has to learn much concepts (JAAS, ...) in few time.

      Anyone could please, please, help?

      Pablo J.


        • 1. Re: JAAS, login configuration + Hi everybody
          purbano

          Something I have just noticed. When the login is actually failing (ie: bad username), I am redirected to error.jsp .

          Briefly:

          - I request a protected resource
          - server sends me login.jsp
          - I send a username and a password
          - If login fails
           - server sends me error.jsp // Cool
          - else
           - server sends me login.jsp // Instead of the selected resource
          


          • 2. Re: JAAS, login configuration + Hi everybody
            wolfgangknauf

            Hi Pablo,

            could you post your "security-constraint" definitions from web.xml ? Does your login result in a required role ?

            Best regards

            Wolfgang

            • 3. Re: JAAS, login configuration + Hi everybody
              purbano

              Of course I can:

               <security-constraint>
               <display-name>My Security Constraint</display-name>
               <web-resource-collection>
               <web-resource-name>Protected Area</web-resource-name>
               <!-- Define the context-relative URL(s) to be protected -->
               <url-pattern>/view/*</url-pattern>
               <url-pattern>/documentation/*</url-pattern>
               <url-pattern>/control/*</url-pattern>
              
               <!-- If you list http methods, only those methods are protected -->
               <http-method>DELETE</http-method>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
               <http-method>PUT</http-method>
               </web-resource-collection>
               <auth-constraint>
               <!-- Anyone with one of the listed roles may access this area -->
               <role-name>Administrators</role-name>
               <role-name>Route Managers</role-name>
               </auth-constraint>
              


              About the second question, I know that the login module has a public Group[] getRoleSets() function, but I think it is not being called, according to the logs.

              Thank you for your response,

              Pablo J.

              • 4. Re: JAAS, login configuration + Hi everybody
                purbano

                I forgot to say that the URL pattern I'm trying to access is /view/*.

                And I also lost a </security-constraint> at the end of the code :S It is the only missing tag.

                • 5. Re: JAAS, login configuration + Hi everybody
                  wolfgangknauf

                  Hi Pablo,

                  the security-constraint looks OK to me.

                  Is your login module a subclass of org.jboss.security.auth.spi.UsernamePasswordLoginModule ? In a small login module I created myself I had to implement "getUsersPassword" and "getRoleSets", and both were called.

                  "getRoleSets" should return either "Administrators" or "Route Managers" in your case.

                  You have probably defined the security domain in jboss-web.xml ?

                  Best regards

                  Wolfgang

                  • 6. Re: JAAS, login configuration + Hi everybody
                    purbano

                    Hello, Wolfgang, thanks again for your help.

                    First of all, I must say that it is not *my* login module, that is, I have not written the application, nor I have access to the people who wrote it. I am only migrating it from oc4j.

                    Once said that, the login module is not a subclass of the module you said, but a class that doesn't extends anyother, and implements LoginModule.

                    I'm quite confused with the security-domain thing. I thought it was necessary if applied to EJB. I'll try to do a bit more research before tonight.

                    Pablo J.

                    • 7. Re: JAAS, login configuration + Hi everybody
                      wolfgangknauf

                      Hi Pablo,

                      the security domain has to be declard in jboss-web.xml if you want to use it, otherwise the security constraints in web.xml will not trigger your login module.

                      It could look like this:

                      <?xml version="1.0" encoding="UTF-8"?>
                      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
                      
                      <jboss-web>
                       <security-domain>java:/jaas/mysecuritydomain</security-domain>
                       <context-root>...</context-root>
                       ...
                      </jboss-web>


                      For JBoss login modules, you should take a look at the JBoss guide: http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html#ch8.custom.sect. There you will find a small sample.

                      If you speak german you can find a working sample here: http://www.informatik.fh-wiesbaden.de/~knauf/SWTVertiefung2006/security/index.html

                      Hope this helps

                      Wolfgang

                      • 8. Re: JAAS, login configuration + Hi everybody
                        purbano

                        SOLVED

                        The problem is that I didn't notice that the project no longer uses the custom login module, but one specific to oc4j . I changed it by org.jboss.security.auth.spi.DatabaseServerLoginModule and made the correct configuration, and it finally worked :)

                        Thanks specially to Wolfgang, as I have learned a lot with his answers.

                        Pablo J.