4 Replies Latest reply on May 7, 2009 5:02 AM by nschweig

    DatabaseLoginServerModule implementing problems

    nschweig

      Hi,

      I am very confused about implementing a simple example with the DatabaseLoginServerModule.
      Is there anywhere an example-project I can use?
      I only found http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html
      and that is not really an example.

      Here is my problem:
      I have got a web project with form based authentication.

      login.html

      <html>
      <body>
      <h1>Please Authenticate</h1>
      <form method="POST" action="j_security_check">
       User Name: <input type="text" name="j_username" /><br />
       Password: <input type="password" name="j_password" /><br />
       <input type="submit" value="Login" />
      </form>
      </body>
      </html>


      These are my security settings in the web.xml

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>restricted</web-resource-name>
       <url-pattern>/secured_pages/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>java</role-name>
       </auth-constraint>
       </security-constraint>
       <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/login.html</form-login-page>
       <form-error-page>/error.html</form-error-page>
       </form-login-config>
       </login-config>
       <security-role>
       <role-name>java</role-name>
       </security-role>


      In the jboss directory C:\jboss-5.0.1.GA\server\default\conf I made the following entry in the login-config.xml

      <application-policy name="databaselogin">
      <authentication>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="dsJndiName">java:/databaselogin</module-option>
       <module-option name="debug">true</module-option>
      
       <module-option name="principalsQuery">
       select passwd from users username where username=?</module-option>
       <module-option name="rolesQuery">
       select userroles, 'roles' from userroles where username=?</module-option>
       </login-module>
       </authentication>
       </application-policy>


      In the web-inf-directory of my web-application I got the file jboss-web.xml:
      <?xml version='1.0' encoding='UTF-8' ?>
      
      <!DOCTYPE jboss-web
       PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
       "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
      
      <jboss-web>
       <security-domain>java:/jaas/databaselogin</security-domain>
      </jboss-web>
      


      Then I created a testdatabase in my databasetool:

      table roles: username, rolename, rolegroupname
      table users: username, passwd
      table userroles: username,userroles

      Every table has one record. Every field is filled with the String "java".

      If I try to get access to the application with the authenticationform with username 'java' and password 'java' I always get the error page that says my username or password is wrong.

      What am I doing wrong?

      I would be very pleased about any help!

      Thanks NSchweig


        • 1. Re: DatabaseLoginServerModule implementing problems
          wolfgangknauf

          Hi,

          there is a typo in your users query:

          select passwd from users username where username=?


          Your "jboss-web.xml" uses an incredibly old dtd, better use a newer one:
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE jboss-web PUBLIC
           "-//JBoss//DTD Web Application 5.0//EN"
           "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
          
          <jboss-web>
           <security-domain>...</security-domain>
          </jboss-web>


          If this does not help: activate logging of the security layer. See the sticky post "FAQ ..." in this forum, question 3.

          By the way, as you are from Germany: http://www.informatik.fh-wiesbaden.de/~knauf/KomponentenArchitekturen2008/security/index.html

          Best regards

          Wolfgang


          • 2. Re: DatabaseLoginServerModule implementing problems
            nschweig

            Hallo Wolfgang,

            thank you very much for the answer.

            Now I think it is working a little bit better, I have got the following log:

            0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: Anmeldemodul-Steuerflag: required
            Options:
            name=debug, value=true
            name=rolesQuery, value=select userroles, 'roles' from userroles where username=?
            name=principalsQuery, value=select passwd from users where username=?
            name=dsJndiName, value=java:/databaselogin
            
            15:42:55,343 TRACE [DatabaseServerLoginModule] initialize
            15:42:55,343 TRACE [DatabaseServerLoginModule] Security domain: databaselogin
            15:42:55,343 TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/databaselogin
            15:42:55,343 TRACE [DatabaseServerLoginModule] principalsQuery=select passwd from users where username=?
            15:42:55,343 TRACE [DatabaseServerLoginModule] rolesQuery=select userroles, 'roles' from userroles where username=?
            15:42:55,343 TRACE [DatabaseServerLoginModule] suspendResume=true
            15:42:55,343 TRACE [DatabaseServerLoginModule] login
            15:42:55,343 TRACE [DatabaseServerLoginModule] suspendAnyTransaction
            15:42:55,343 TRACE [DatabaseServerLoginModule] Excuting query: select passwd from users where username=?, with username: java
            15:42:55,343 TRACE [DatabaseServerLoginModule] Obtained user password
            15:42:55,343 TRACE [DatabaseServerLoginModule] resumeAnyTransaction
            15:42:55,343 TRACE [DatabaseServerLoginModule] User 'java' authenticated, loginOk=true
            15:42:55,343 TRACE [DatabaseServerLoginModule] commit, loginOk=true
            15:42:55,343 TRACE [DatabaseServerLoginModule] getRoleSets using rolesQuery: select userroles, 'roles' from userroles where username=?, username: java
            15:42:55,343 TRACE [DatabaseServerLoginModule] suspendAnyTransaction
            15:42:55,343 TRACE [DatabaseServerLoginModule] Excuting query: select userroles, 'roles' from userroles where username=?, with username: java
            15:42:55,343 TRACE [DatabaseServerLoginModule] Assign user to role java
            15:42:55,343 TRACE [DatabaseServerLoginModule] resumeAnyTransaction
            15:42:55,390 TRACE [databaselogin] defaultLogin, lc=javax.security.auth.login.LoginContext@551dc1, subject=Subject(1341551).principals=org.jboss.security.SimplePrincipal@11380792(java)org.jboss.security.SimpleGroup@32426946(roles(members:java))
            15:42:55,390 TRACE [databaselogin] updateCache, inputSubject=Subject(1341551).principals=org.jboss.security.SimplePrincipal@11380792(java)org.jboss.security.SimpleGroup@32426946(roles(members:java)), cacheSubject=Subject(8610524).principals=org.jboss.security.SimplePrincipal@11380792(java)org.jboss.security.SimpleGroup@32426946(roles(members:java))
            15:42:55,390 TRACE [databaselogin] Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@1cf9232[Subject(8610524).principals=org.jboss.security.SimplePrincipal@11380792(java)org.jboss.security.SimpleGroup@32426946(roles(members:java)),credential.class=java.lang.String@24598445,expirationTime=1240841565609]
            15:42:55,390 TRACE [databaselogin] End isValid, true
            15:42:55,390 TRACE [databaselogin] getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@1cf9232[Subject(8610524).principals=org.jboss.security.SimplePrincipal@11380792(java)org.jboss.security.SimpleGroup@32426946(roles(members:java)),credential.class=java.lang.String@24598445,expirationTime=1240841565609]
            15:42:55,406 TRACE [SecurityRolesAssociation] Setting threadlocal:null
            15:42:55,406 TRACE [SecurityRolesAssociation] Setting threadlocal:null
            15:42:55,406 TRACE [SecurityRolesAssociation] Setting threadlocal:{}
            15:42:55,406 TRACE [JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
            15:42:55,421 TRACE [SecurityRolesAssociation] Setting threadlocal:null
            15:42:55,421 TRACE [SecurityRolesAssociation] Setting threadlocal:null
            


            But the problem now is that i get a http 403 error, access denied.
            Any more ideas?

            Thank you very much for the links, too!Very helpful.
            Best regards,
            Nicole

            • 3. Re: DatabaseLoginServerModule implementing problems
              wolfgangknauf

              Hi Nicole,

              what page is accessed when the 403 comes? It is probably part of the "secured_pages" directory?

              As this error 403 is coming, it seems that the user is authenticated, but the role mapping does not work as expected (though the log tells something different: "Assign user to role java").
              Whenever I had read about this login module, the roles query always contained 'Roles', not 'roles'. Try to change the 'r' to upper case. But I don' think that this might be a reason.

              Is there anything special in your app? The console output shows this line "ControlFlag: Anmeldemodul-Steuerflag: required", and as it is german, it sounds like something non-standard ;-)

              Best regards

              Wolfgang

              • 4. Re: DatabaseLoginServerModule implementing problems
                nschweig

                Hi Wolfgang,

                yeah, you are great :-) it was the upper case 'R' in 'roles'.
                Now it is working.

                I tried to find out what the
                "ControlFlag: Anmeldemodul-Steuerflag:"
                is but I do not know; but it was nothing special from my application.

                Thank you very much!

                Best regards,
                Nicole