-
1. Re: JAAS, login configuration + Hi everybody
purbano Jul 3, 2007 8:27 AM (in response to purbano)Something I have just noticed. When the login is actually failing (ie: bad username), I am redirected to error.jsp .
Briefly:- I request a protected resource - server sends me login.jsp - I send a username and a password - If login fails - server sends me error.jsp // Cool - else - server sends me login.jsp // Instead of the selected resource
-
2. Re: JAAS, login configuration + Hi everybody
wolfgangknauf Jul 3, 2007 12:30 PM (in response to purbano)Hi Pablo,
could you post your "security-constraint" definitions from web.xml ? Does your login result in a required role ?
Best regards
Wolfgang -
3. Re: JAAS, login configuration + Hi everybody
purbano Jul 4, 2007 3:09 AM (in response to purbano)Of course I can:
<security-constraint> <display-name>My Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/view/*</url-pattern> <url-pattern>/documentation/*</url-pattern> <url-pattern>/control/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>Administrators</role-name> <role-name>Route Managers</role-name> </auth-constraint>
About the second question, I know that the login module has a public Group[] getRoleSets() function, but I think it is not being called, according to the logs.
Thank you for your response,
Pablo J. -
4. Re: JAAS, login configuration + Hi everybody
purbano Jul 4, 2007 3:14 AM (in response to purbano)I forgot to say that the URL pattern I'm trying to access is /view/*.
And I also lost a </security-constraint> at the end of the code :S It is the only missing tag. -
5. Re: JAAS, login configuration + Hi everybody
wolfgangknauf Jul 4, 2007 10:49 AM (in response to purbano)Hi Pablo,
the security-constraint looks OK to me.
Is your login module a subclass of org.jboss.security.auth.spi.UsernamePasswordLoginModule ? In a small login module I created myself I had to implement "getUsersPassword" and "getRoleSets", and both were called.
"getRoleSets" should return either "Administrators" or "Route Managers" in your case.
You have probably defined the security domain in jboss-web.xml ?
Best regards
Wolfgang -
6. Re: JAAS, login configuration + Hi everybody
purbano Jul 5, 2007 10:41 AM (in response to purbano)Hello, Wolfgang, thanks again for your help.
First of all, I must say that it is not *my* login module, that is, I have not written the application, nor I have access to the people who wrote it. I am only migrating it from oc4j.
Once said that, the login module is not a subclass of the module you said, but a class that doesn't extends anyother, and implements LoginModule.
I'm quite confused with the security-domain thing. I thought it was necessary if applied to EJB. I'll try to do a bit more research before tonight.
Pablo J. -
7. Re: JAAS, login configuration + Hi everybody
wolfgangknauf Jul 5, 2007 11:38 AM (in response to purbano)Hi Pablo,
the security domain has to be declard in jboss-web.xml if you want to use it, otherwise the security constraints in web.xml will not trigger your login module.
It could look like this:<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"> <jboss-web> <security-domain>java:/jaas/mysecuritydomain</security-domain> <context-root>...</context-root> ... </jboss-web>
For JBoss login modules, you should take a look at the JBoss guide: http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html#ch8.custom.sect. There you will find a small sample.
If you speak german you can find a working sample here: http://www.informatik.fh-wiesbaden.de/~knauf/SWTVertiefung2006/security/index.html
Hope this helps
Wolfgang -
8. Re: JAAS, login configuration + Hi everybody
purbano Jul 17, 2007 3:08 PM (in response to purbano)SOLVED
The problem is that I didn't notice that the project no longer uses the custom login module, but one specific to oc4j . I changed it by org.jboss.security.auth.spi.DatabaseServerLoginModule and made the correct configuration, and it finally worked :)
Thanks specially to Wolfgang, as I have learned a lot with his answers.
Pablo J.