Jboss-Tomcat Form Based Authentication
erocha Sep 10, 2002 4:01 PMI am new to Jboss and been trying to setup security Realms for Tomcat (Catalina) and Jboss. I have follow some of the howto's on line. It seems to work in the sense that it will display the login page. Once the login page is displayed and data entered it takes me straight to the requested page without validating the username and password.
Here is what I've done so far:
1. added to $JBOSS_HOME/catalina/config/server.xml
to defined a Realm that uses a postgress Database. The driver is in $JBOSS_HOME/lib
-------------
--------------
2. I have the following war file (name=auth.war) and I deploy it by copying it to $JBOSS_HOME/server/default/deploy directory:
2.1 Login.html
--------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
Tryplec
<h1>Welcome to tryplec ! </h1>
User Name:
Password:
<input type=submit value="Login">
---------------
2.2 failedLogin.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
Tryplec
<h1>Welcome to tryplec ! </h1>
FAILED
User Name:
Password:
<input type=submit value="Login">
--------------
2.3 foo.html just a test file to test access
---------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
YEY!
<h1>Welcome to tryplec ! </h1>
GOT IN
------------------------
2.4 WEB-INF/web.xml
-------------
?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<!-- Default login configuration uses form-based authentication -->
<!--
<session-config>
<session-timeout>720</session-timeout>
</session-config>
-->
<security-constraint>
<display-name>Secured Tryplec</display-name>
<web-resource-collection>
<web-resource-name>TryplecResource</web-resource-name>
Accessible by authorized users
<url-pattern>/*</url-pattern>
<url-pattern>/auth/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
These are the roles who have access
<role-name>MA</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Authorized Tryplec</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/failedLogin.html</form-error-page>
</form-login-config>
</login-config>
</web-app>
----------------------------
1. I am missing any other config files?
2. Why does it allowed me to access any secured files without validating?
3. I don't seem to find any logs to figure out when it even tries to access database
Any help will be much appreciated
Thanks
Efrain
Just a noob developer