I have setup a test web app to try out form based authentication of protected .jsp pages. I am having trouble getting the DatabaseServerLoginModule to work.

The problem is it allows me to enter any username and password and authenticates the user fine. The user is then in all roles.

Any help would be gratefully appreciated.

Thanks,

Richard




I have added the following entry into my login-config.xml

<application-policy name = "WebTestRealm">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/OracleDS</module-option>
<module-option name = "principalsQuery">select passwd from jboss_users where userid = ?</module-option>
<module-option name = "rolesQuery">select role, rolegroup from jboss_roles where userid = ?</module-option>
</login-module>

</application-policy>


The web.xml file is :-

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>Web Test</display-name>
Sample website to test out JSP and EJB integration
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>webtest</display-name>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
Secure areas of the application
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
<user-data-constraint>
Web Application
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>WebTestRealm</realm-name>
<form-login-config>
<form-login-page>/login_form.jsp</form-login-page>
<form-error-page>/login_error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>