0 Replies Latest reply on Mar 24, 2008 4:58 PM by adastar

    re:  securing virtual directories

    adastar
    adastar Mar 24, 2008 4:58 PM

      We have a security realm that we use throughout our EAR.

       <application-policy name="mySecurityRealm">

 <authentication>
 <login-module code="com.myclass.MyLoginModule" flag="required">
 <module-option name="unauthenticated">guest</module-option>
 <module-option name="dsJndiName">java:/myDataSource</module-option>
 <module-option name="hashUserPassword">false</module-option>
 <module-option name="hashStorePassword">false</module-option>
 <module-option name="principalsQuery">
 ...commented out...</module-option>

 <module-option name="rolesQuery">
 ...commented out...</module-option>
 </login-module>
 </authentication>

</application-policy>


      I read the following:

      http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

      Scroll down until you see "Realm" under "Nested Elements". It seems as though you can specify a JAAS Realm:

      http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html

      So I did: 

       <Host name="localhost"
 autoDeploy="false" deployOnStartup="false" deployXML="false"
 configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"
 >

 <Realm className="org.apache.catalina.realm.JAASRealm"
 appName="mySecurityRealm"
 userClassNames="org.jboss.security.SimplePrincipal"
 roleClassNames="org.jboss.security.SimpleGroup"
 debug="99"/>


      And I defined my virtual directory: 

       <Context path="/Reports" docBase="Reports" debug="0" reloadable="true" />


      But the security isn't working. So I defined the web.xml file under Reports/WEB-INF: 

      <security-constraint>
 <web-resource-collection>
 <web-resource-name>xxx</web-resource-name>
 <url-pattern>/Reports/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>Roles</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
 <login-config>
 <auth-method>FORM</auth-method>
 <realm-name>mySecurityRealm</realm-name>
 <form-login-config>
 <form-login-page>/login.jsp</form-login-page>
 <form-error-page>/loginerror.html</form-error-page>
 </form-login-config>
 </login-config>
 <security-role>


      and even put in a jboss-web.xml file: 

      <?xml version="1.0" encoding="UTF-8"?>

<jboss-web>
 <security-domain>java:/jaas/mySecurityRealm</security-domain>
</jboss-web>


      Still no luck! Any ideas?



      • 1819 Views
      • Tags: