4 Replies Latest reply on Aug 17, 2004 10:39 AM by ltcmelo

    Configuring login in jboss

    ltcmelo

      How do i configure jboss for a login module with jaas?

        • 1. Re: Configuring login in jboss
          ltcmelo

          i forgot to say that i'm using jboss 3.2.3

          • 2. Re: Configuring login in jboss

            can you describe in detail?


            "ltcmelo" wrote:
            How do i configure jboss for a login module with jaas?


            • 3. Re: Configuring login in jboss
              darranl

              Which documentation have you both read so far?

              • 4. Re: Configuring login in jboss
                ltcmelo

                Hi,
                first i'd like to recall that my configuration is MySQL, JBoss 3.2.3 and i'm also using Struts (what wouldn't matter i think).

                I got so far what seems to be the necessary configuration, but it's not working as expected. Then, i'll post some code to see if other can point my mistakes. I'd like to enphasize that i have never worked with jaas (i'm learning it at the moment) so i might me doing some pretty stupid things over here.

                In web.xml

                ...
                 <security-constraint>
                 <web-resource-collection>
                 <web-resource-name>action</web-resource-name>
                 <description>Declarative security tests</description>
                 <url-pattern>*.do</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
                 </web-resource-collection>
                
                 <auth-constraint>
                 <role-name>Echo</role-name>
                 </auth-constraint>
                 <user-data-constraint>
                 <description>no description</description>
                 <transport-guarantee>NONE</transport-guarantee>
                 </user-data-constraint>
                 </security-constraint>
                 <login-config>
                 <auth-method>FORM</auth-method>
                 <form-login-config>
                 <form-login-page>/logon.do</form-login-page>
                 <form-error-page>/logoff.do</form-error-page>
                 </form-login-config>
                 </login-config>
                 <security-role>
                 <description>A user allowed to invoke echo methods</description>
                 <role-name>Echo</role-name>
                 </security-role>
                ...
                


                It does not matter if you don't know how struts work, the important thing is that the requests of the application will be redirected to this Servlet, wich responds for the uri /logon.do.
                 //I'm just getting the j_username and j_password from the login.jsp
                 LogonreqForm logonreqForm = (LogonreqForm)form;
                 String username = logonreqForm.getJ_username();
                 String password = logonreqForm.getJ_password();
                
                 SecurityAssociationHandler handler = new SecurityAssociationHandler();
                 SimplePrincipal user = new SimplePrincipal(username);
                 handler.setSecurityInfo(user, password.toCharArray());
                 LoginContext loginContext = new LoginContext("example2", (CallbackHandler)handler);
                 loginContext.login();
                 Subject subject = loginContext.getSubject();
                 Set principals = subject.getPrincipals();
                 principals.add(user);
                
                 //return to a page confirming a sucessful login
                



                The problem is that the Servlet that contains this code always authenticate the user, even when the inputs (j_username and j_password) are left blank!
                Here is my auth.conf in jboss3.2.3/client
                srp-client {
                 // Example client auth.conf for using the SRPLoginModule
                 org.jboss.security.srp.jaas.SRPLoginModule required
                 password-stacking="useFirstPass"
                 principalClassName="org.jboss.security.SimplePrincipal"
                 srpServerJndiName="SRPServerInterface"
                 debug=true
                 ;
                
                 // jBoss LoginModule
                 org.jboss.security.ClientLoginModule required
                 password-stacking="useFirstPass"
                 ;
                
                 // Put your login modules that need jBoss here
                };
                
                other {
                 // jBoss LoginModule
                 org.jboss.security.ClientLoginModule required
                 ;
                
                 // Put your login modules that need jBoss here
                };
                
                client-login
                {
                org.jboss.security.ClientLoginModule required;
                };
                
                example2
                {
                org.jboss.security.ClientLoginModule required;
                org.jboss.security.auth.spi.DatabaseServerLoginModule required;
                };
                
                


                Here is jboss3.2.3/server/default/conf/auth.conf
                // The JBoss server side JAAS login config file for the examples
                
                client-login
                {
                org.jboss.security.ClientLoginModule required;
                };
                
                example2
                {
                org.jboss.security.ClientLoginModule required;
                org.jboss.security.auth.spi.DatabaseServerLoginModule required
                dsJndiName="java:/DefaultDS"
                principalsQuery="Select Password from Principals where PrincipalID =?"
                rolesQuery="Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =?"
                ;
                };
                



                Here's login-config.xml
                ...
                 <application-policy name="example2">
                 <authentication>
                 <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                 </login-module>
                 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                 <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                 <module-option name="dsJndiName">java:/DefaultDS</module-option>
                 <module-option name="principalsQuery">Select Password from Principals where PrincipalID =?</module-option>
                 <module-option name="rolesQuery">Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =?</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                ...