re: securing virtual directories
adastar Mar 24, 2008 4:58 PMWe have a security realm that we use throughout our EAR.
<application-policy name="mySecurityRealm"> <authentication> <login-module code="com.myclass.MyLoginModule" flag="required"> <module-option name="unauthenticated">guest</module-option> <module-option name="dsJndiName">java:/myDataSource</module-option> <module-option name="hashUserPassword">false</module-option> <module-option name="hashStorePassword">false</module-option> <module-option name="principalsQuery"> ...commented out...</module-option> <module-option name="rolesQuery"> ...commented out...</module-option> </login-module> </authentication> </application-policy>
I read the following:
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
Scroll down until you see "Realm" under "Nested Elements". It seems as though you can specify a JAAS Realm:
http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html
So I did:
<Host name="localhost" autoDeploy="false" deployOnStartup="false" deployXML="false" configClass="org.jboss.web.tomcat.security.config.JBossContextConfig" > <Realm className="org.apache.catalina.realm.JAASRealm" appName="mySecurityRealm" userClassNames="org.jboss.security.SimplePrincipal" roleClassNames="org.jboss.security.SimpleGroup" debug="99"/>
And I defined my virtual directory:
<Context path="/Reports" docBase="Reports" debug="0" reloadable="true" />
But the security isn't working. So I defined the web.xml file under Reports/WEB-INF:
<security-constraint> <web-resource-collection> <web-resource-name>xxx</web-resource-name> <url-pattern>/Reports/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>Roles</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>mySecurityRealm</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginerror.html</form-error-page> </form-login-config> </login-config> <security-role>
and even put in a jboss-web.xml file:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>java:/jaas/mySecurityRealm</security-domain> </jboss-web>
Still no luck! Any ideas?