1 Reply Latest reply on Oct 1, 2009 5:48 AM by karin1123

    configuration - config-login.xml

    karin1123

      Hello,

      since a few days i am trying to setup a jboss server that was running for a long time, but wasn't used for the past months. the deploy path is available with all the contents and is working like expected where no login is needed (apache and tomcat is also configured like before). database connections are loging in successfully.

      the project itself is very huge - but the company that did the first setup is not available anymore. so we need to get it up and running ourselfs.
      from my investigations the problem is the missing conf path. (login-conf.xml maybe)

      when the application sends the auth - the tomcat is sending back that an auth is needed but not given and so the "RequestProcessor" is not available. There is no sql statements executed (i am monitoring the mysql.log on a development machine)

      corresponding web.xml
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>ProtectedServlets</web-resource-name>

      <url-pattern>/RequestProcessor</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>MyUser</role-name>
      </auth-constraint>
      </security-constraint>
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>My Web Service</realm-name>
      </login-config>
      <security-role>
      <role-name>MyUser</role-name>
      </security-role>

      corresponding jboss-web.xml
      <jboss-web>
      <security-domain>java:/jaas/myDataBase</security-domain>
      <ejb-local-ref>
      <ejb-ref-name>
      ejb/JBossRequestProcessorSession
      </ejb-ref-name>
      <local-jndi-name>
      myDataBase/JBossRequestProcessorSession
      </local-jndi-name>
      </ejb-local-ref>
      .......
      .......
      .......
      </jboss-web>

      used for the test is an internal server with an internal name test.intern so that no traffic goes out - that is all workin well in the network so no need to think about that

      what happens in auth is this
      the client sends
      .4......HTTP/1.1.../server/RequestProcessor...192.168.0.110.....www.test.intern..P.......Basic.bWFya3VzOmFzZGZhc2Rm.....Jakarta.Commons-HttpClient/2.0.2.....www.test.intern.....36....!application/x-www-form-urlencoded...........

      the jk.log says
      <Unauthorized.....WWW-Authenticate..(Basic.realm="My.Web.Service"...Content-Type...text/html;charset=utf-8...

      ------
      the cryptic string is a base64 encoded username password pair

      that is the bottom of the problem - nowhere i am able to find informations if i can send this through login-config.xml into the database - i know how to say that the password is encrypted - and what the algorithm is - but not how to handle user and password within ONE base64string

      my mysql statement would be like that
      SELECT userID FROM logins WHERE username=? AND password=?
      (password is md5 encrypted)

      the second for the role would be
      SELECT privilege FROM set_privileges WHERE userId=?
      (privilege would be MyUser)

      they are all fetched from MyDataBase

      is there any help where i can find out how to handle that? (base64decode - split - md5 encode)