This content has been marked as final.
Show 4 replies
-
1. Re: Configuring login in jboss
ltcmelo Aug 17, 2004 8:40 AM (in response to ltcmelo)i forgot to say that i'm using jboss 3.2.3
-
2. Re: Configuring login in jboss
worldheart Aug 17, 2004 9:21 AM (in response to ltcmelo)can you describe in detail?
"ltcmelo" wrote:
How do i configure jboss for a login module with jaas? -
3. Re: Configuring login in jboss
darranl Aug 17, 2004 9:46 AM (in response to ltcmelo)Which documentation have you both read so far?
-
4. Re: Configuring login in jboss
ltcmelo Aug 17, 2004 10:39 AM (in response to ltcmelo)Hi,
first i'd like to recall that my configuration is MySQL, JBoss 3.2.3 and i'm also using Struts (what wouldn't matter i think).
I got so far what seems to be the necessary configuration, but it's not working as expected. Then, i'll post some code to see if other can point my mistakes. I'd like to enphasize that i have never worked with jaas (i'm learning it at the moment) so i might me doing some pretty stupid things over here.
In web.xml... <security-constraint> <web-resource-collection> <web-resource-name>action</web-resource-name> <description>Declarative security tests</description> <url-pattern>*.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Echo</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/logon.do</form-login-page> <form-error-page>/logoff.do</form-error-page> </form-login-config> </login-config> <security-role> <description>A user allowed to invoke echo methods</description> <role-name>Echo</role-name> </security-role> ...
It does not matter if you don't know how struts work, the important thing is that the requests of the application will be redirected to this Servlet, wich responds for the uri /logon.do.//I'm just getting the j_username and j_password from the login.jsp LogonreqForm logonreqForm = (LogonreqForm)form; String username = logonreqForm.getJ_username(); String password = logonreqForm.getJ_password(); SecurityAssociationHandler handler = new SecurityAssociationHandler(); SimplePrincipal user = new SimplePrincipal(username); handler.setSecurityInfo(user, password.toCharArray()); LoginContext loginContext = new LoginContext("example2", (CallbackHandler)handler); loginContext.login(); Subject subject = loginContext.getSubject(); Set principals = subject.getPrincipals(); principals.add(user); //return to a page confirming a sucessful login
The problem is that the Servlet that contains this code always authenticate the user, even when the inputs (j_username and j_password) are left blank!
Here is my auth.conf in jboss3.2.3/clientsrp-client { // Example client auth.conf for using the SRPLoginModule org.jboss.security.srp.jaas.SRPLoginModule required password-stacking="useFirstPass" principalClassName="org.jboss.security.SimplePrincipal" srpServerJndiName="SRPServerInterface" debug=true ; // jBoss LoginModule org.jboss.security.ClientLoginModule required password-stacking="useFirstPass" ; // Put your login modules that need jBoss here }; other { // jBoss LoginModule org.jboss.security.ClientLoginModule required ; // Put your login modules that need jBoss here }; client-login { org.jboss.security.ClientLoginModule required; }; example2 { org.jboss.security.ClientLoginModule required; org.jboss.security.auth.spi.DatabaseServerLoginModule required; };
Here is jboss3.2.3/server/default/conf/auth.conf// The JBoss server side JAAS login config file for the examples client-login { org.jboss.security.ClientLoginModule required; }; example2 { org.jboss.security.ClientLoginModule required; org.jboss.security.auth.spi.DatabaseServerLoginModule required dsJndiName="java:/DefaultDS" principalsQuery="Select Password from Principals where PrincipalID =?" rolesQuery="Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =?" ; };
Here's login-config.xml... <application-policy name="example2"> <authentication> <login-module code="org.jboss.security.ClientLoginModule" flag="required"> </login-module> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> <module-option name="dsJndiName">java:/DefaultDS</module-option> <module-option name="principalsQuery">Select Password from Principals where PrincipalID =?</module-option> <module-option name="rolesQuery">Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =?</module-option> </login-module> </authentication> </application-policy> ...