Problem with JAAS and Declarative Security on JBOSS 4.2.1 GA
fakhreldeen May 5, 2008 6:33 AMHello,
I am trying to implement an integration between Declarative Security and JAAS on JBOSS 4.2.1 GA. I have specified in my web.xml file that all jsp files under the directory called "security" are protected and only accessible by the role "Admin". I also specified in the web.xml file that Authentication is done by Login FORM. I then created a configuration for the DatabaseSeverLoginModule in login-config.xml, and created a servlet that uses the LoginContext to authorize the user. The Login page's form's action points to this servlet rather than j_security_check. However, it doesn't seem to work, because I can't access the secure pages, even though I enter the correct username and password. Here are my files:
*****web.xml*****
<servlet> <servlet-name>loginservlet</servlet-name> <servlet-class>loginservlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>loginservlet</servlet-name> <url-pattern>/loginservlet</url-pattern> </servlet-mapping> <session-config> <session-timeout> 30 </session-timeout> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <security-constraint> <display-name>Constraint1</display-name> <web-resource-collection> <web-resource-name>Secure Pages</web-resource-name> <description>Secure Pages</description> <url-pattern>/security/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>HEAD</http-method> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description>Admin</description> <role-name>Admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Test Realm</realm-name> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/Error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>Admin User </description> <role-name>Admin</role-name> </security-role> </web-app>
*****login-conf.xml*****
<application-policy name = "testDB"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/testDB</module-option> <module-option name = "principalsQuery">SELECT password from Principals where PrincipalID =?</module-option> <module-option name = "rolesQuery">SELECT Role, Rolegroup FROM roles WHERE principalid=?</module-option> </login-module> </authentication> </application-policy>
****jboss-web.xml****
<jboss-web> <security-domain>java:/jaas/testDB</security-domain> <context-root>/testJBOSSsecurity</context-root> </jboss-web>
****Login.jsp*****
<FORM name="logonForm" action="loginservlet" METHOD="POST"> <TABLE width="100%" border="0" cellspacing="0" cellpadding= "1" bgcolor="white"> <TABLE width="100%" border="0" cellspacing= "0" cellpadding="5"> <TR align="center"> <TD align="right" class="Prompt"></TD> <TD align="left"> <INPUT type="text" name="j_username" maxlength=20> </TD> </TR> <TR align="center"> <TD align="right" class="Prompt"> </TD> <TD align="left"> <INPUT type="password" name="j_password" maxlength=20 > <BR> <TR align="center"> <TD align="right" class="Prompt"> </TD> <TD align="left"> <input type="submit" value="Login">
****loginservlet.java*****
try { SecurityAssociationHandler handler = new SecurityAssociationHandler(); Principal user = new SimplePrincipal(request.getParameter("j_username")); handler.setSecurityInfo(user, request.getParameter("j_password")); LoginContext loginContext = new LoginContext("testDB",(CallbackHandler)handler); loginContext.login(); Subject subject = loginContext.getSubject(); Set principals = subject.getPrincipals(); principals.add(user); out.println(subject.toString()); //response.sendRedirect("securepage.java"); }
So, those are my files.....In the database, I have two tables, one table called Principals and that has the username semsem and password password1, and the other table is called roles, which has principleid = semsem, role = Admin, and rolegroup = AdminGroup. What I am trying to do, is integrate JAAS and Declarative Security, so that I don't have to programatically declare which pages are accessed by which type of user. However, When I reach the Login Form and enter the correct username and password, nothing happens, which means that after I enter the correct username and password, I am presented with the login form again....I can verify that the servlet code is correct, because I can directly visit the login page with out trying to access it by requesting a secure page, and I enter the correct username and password, and I get a print line of the subject's principals as they are in the database from the line out.println(subject.toString());, that print out is: Subject: Principal: semsem Principal: Admin(members:Admin)
Your help is very appreciated
Thank You
Sam