I have a small web application (just a tutorial) that I want to secure with JAAS on Jboss but it seems I ha™ve missed something some where so the authentication is always failing sending me to the login-error.jsp page I have created and mapped. See cod below.

My environment:
Jboss 5.0.0GA, Eclipse Ganymede, MySql 5.1.30-community, Windows Vista

A. The Code

1. database

Principals table:
CREATE TABLE Principals (
PrincipalID VARCHAR (64) PRIMARY KEY,
Password VARCHAR (64)
)
Roles Table:
CREATE TABLE Roles (
PrincipalId varchar(255) NOT NULL default '',
Role varchar(255) NOT NULL default '',
RoleGroup varchar(255) NOT NULL default '',
PRIMARY KEY(PrincipalId)
)



2. login-config.xml


<application-policy name="formbasedPolicyDomainDb">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:/mysqlDs</module-option>
<module-option name="principalsQuery">
select Password from Principals where PrincipalID=?</module-option>
<module-option name="rolesQuery">
select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalId=?</module-option>
</login-module>

</application-policy>




3. jboss-web.xml

<jboss-web>
<security-domain>java:/jaas/formbasedPolicyDomainDb</security-domain>

<resource-ref>
<res-ref-name>jdbc/mysqlDs</res-ref-name>
<jndi-name>java:/jdbc/mysqlDs</jndi-name>
</resource-ref>
</jboss-web>


4. web.xml

<resource-ref>
Mysql Datasource mapping
<res-ref-name>jdbc/mysqlDs</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>

<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted to Secure role</web-resource-name>
Declarative security
<url-pattern>/admin/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>


<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted to Secure role</web-resource-name>
Declarative security
<url-pattern>/client/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Client</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>User</role-name>
</security-role>
<security-role>
<role-name>Client</role-name>
</security-role>


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>


Note that I have the data source with jndi name jdbc/mysqlDs mapped in Mysql-ds.xml deployed in Jboss_home/../deploy directory




5. Index.jsp
('<' intentionally removed from a href to display the code rather than an actual link)

a href="<%= request.getContextPath() %>/admin/admin.jsp">Admin Page


a href="<%= request.getContextPath() %>/client/client.jsp">Client Page


a href="<%= request.getContextPath() %>/logout.jsp">Log out


When user try to go to either admin.jsp or client.jsp, they are correctly redirected to login.jsp if they are not logged in.





6. Login.jsp
(close and opened tags intentionally removed to display the code rather than the actual html page)

html
head title login page title head
body
form method="POST" action="j_security_check"
Username: input type="text" name="j_username"
Password: <input type="password" name="j_password"
input type="submit" value="Login"
form
body
html



The issue:

The authentication does not work, it always sends me to login-error.jsp mapped in web.xml

I dont know what j_security_check is and I cant seem to tie it in with my login module DatabaseServerLoginModule defined in login-config.xml

I have seen elsewhere that I may need to write a call back handler but how do I tie it in with j_security_check and my login module?

Please help:

Here is an output from my Jboss log I have enabled security logging so I can see the username being authenticated. user3 below in the log has the role called Client in the Roles table and this Client role is maped correctly in web.xml
if you wish to see my war file, please email me at dooze77 at gmail dot com

2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> false
2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> true
2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> false
2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> true
2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Calling hasUserDataPermission()
2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) User data constraint has no restrictions
2009-07-18 06:57:07,184 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Calling authenticate()
2009-07-18 06:57:07,184 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1) Save request in session '1A8034E59C5FF30260B6699B53356B69'
2009-07-18 06:57:07,205 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/JAASFormAuth].[jsp]] (http-127.0.0.1-8080-1) Disabling the response for futher output
2009-07-18 06:57:07,205 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Failed authenticate() test
2009-07-18 06:57:16,864 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-1) Requested cookie session id is 1A8034E59C5FF30260B6699B53356B69
2009-07-18 06:57:16,865 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Security checking request POST /JAASFormAuth/client/j_security_check
2009-07-18 06:57:16,866 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1) Authenticating username 'user3'
2009-07-18 06:57:16,873 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/JAASFormAuth].[jsp]] (http-127.0.0.1-8080-1) Disabling the response for futher output
2009-07-18 06:57:16,873 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Failed authenticate() test ??/JAASFormAuth/client/j_security_check
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1247925469443 sessioncount 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1247925469443 sessioncount 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1247925469443 sessioncount 0