4 Replies Latest reply on Mar 7, 2007 4:20 PM by peterj

Setting up database authentication in JBoss using JAAS

monocongo Apr 28, 2004 5:26 PM

I am trying to set up authentication using a database. Here is what I have done so far:

1) I have two tables in my database, one for the user_name and password, and another for roles. The database tables look like this:

table name: principals
column: principal_id VARCHAR(64) primary key
column: password VARCHAR(64)

table name: roles
column: principal_id VARCHAR(64)
column: user_role VARCHAR(64)
column: role_group VARCHAR(64)

2) I have added an entry in $JBOSS/server/default/conf/login-config.xml to declare an application policy which uses a DatabaseServerLoginModule. In this entry I have specified the SQl to be used by the module for selecting the password and role, following the example in the JBoss Getting Started Guide (p. 57):

 <!-- added for HIM Server security -->
 <application-policy name="HIM-client-login">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
 flag="required">
 <module-option name="dsJndiName">java:/OracleDS</module-option>
 <module-option name="principalsQuery">select password from principals where principal_id=?</module-option>
 <module-option name="principalsQuery">select user_role,'Roles' from roles where principal_id=?</module-option>
 </login-module>
 </authentication>
 </application-policy>

3) I have added a security domain entry in the jboss-web.xml file:

 <!-- All secure web resources will use this security domain -->
 <security-domain>java:/jaas/HIM-client-login</security-domain>

4) I have declared a security constraint in the web.xml file:

 <!-- security configuration -->
 <security-constraint>

 <display-name>Server Configuration Security Constraint</display-name>

 <!-- the collection of resources to which the sucurity constraint applies -->
 <web-resource-collection>
 <web-resource-name>Secure Resources</web-resource-name>
 <description>Security constraint for all resources</description>
 <!-- the pattern that this constraint applies to -->
 <url-pattern>/*</url-pattern>
 <!-- the HTTP methods that this constraint applies to -->
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>

 <!-- the user roles that should be permitted access to this resource collection -->
 <auth-constraint>
 <description>Only allow those users that are in the following role</description>
 <role-name>user</role-name>
 </auth-constraint>

 <!-- declare a transport guarantee, if any -->
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>

 </security-constraint>

5) I have a simple login form (LoginForm.jsp) which encodes j_security_check:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
 <head>
 <title>HIM Client Login</title>
 </head>


 <body>

 <form method="POST"
 action='<%= response.encodeURL( "j_security_check" ) %>'>

 Username: <input type="text"
 name="j_username"><br/>
 Password: <input type="password"
 name="j_password"><br/>
 <br/>

 <input type="submit"
 value="Login">
 <input type="reset"
 value="Reset">

 </form>

 </body>

</html>

The trouble is when I enter a valid username and password in the login form I get redirected to the error page with no indication on the JBoss console as to what the problem is (such as SQLExceptions indicating a database problem such as failure connecting or invalid table name).

Can anyone see from the above that I have missed something, or that I have done something wrong ?

Can anyone recommend a way to get more information ? All I see in the log file are logs of the requests for the servlet, j_security_check, and the login and error pages, and it might be helpful to have a little more information as to what is going on.

Thanks in advance for any insight.

-James

1. Re: Setting up database authentication in JBoss using JAAS

monocongo Apr 29, 2004 4:55 PM (in response to monocongo)

The problem was that I had a duplicate principalsQuery instead of a rolesQuery in the application-policy section of the login-config.xml. Now that this has been fixed I am authenticating as expected.

-James
Actions
2. Re: Setting up database authentication in JBoss using JAAS

sudhirgc May 3, 2004 8:52 PM (in response to monocongo)

Hi James,
I dont know whether u debugged it urself and its really helpful by now. I see a problem in login-config.xml where the module tag with option name as 'principleQuery' is incorrectly repeating. The second time it should be 'rolesQuery' :-)

<!-- added for HIM Server security -- >
| <application-policy name= "HIM-client-login " >
|
| <login-module code= "org.jboss.security.auth.spi.DatabaseServerLoginModule "
| flag= "required " >
| <module-option name= "dsJndiName " >java:/OracleDS </module-option >
| <module-option name= "principalsQuery " >select password from principals where principal_id=? </module-option >
| <module-option name= "rolesQuery " >select user_role, 'Roles ' from roles where principal_id=? </module-option >
| </login-module >
|
| </application-policy >

I think this should help.

Regards,
Sudhir
Actions
3. Re: Setting up database authentication in JBoss using JAAS

safwateleish Mar 7, 2007 3:56 PM (in response to monocongo)

I have the same problem. authentication fails and i am being redirected to the error page without any log indicating the error that happened. My configurations are as follows:

I added the following entry to the login-config.xml

<application-policy name = "jbossdatabaseBilling">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/myDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWORD passwd FROM USERS WHERE USERNAME=?</module-option>
<module-option name = "rolesQuery">SELECT ROLENAME userRoles, 'Roles' FROM DUMMYROLES WHERE USERNAME =?</module-option>
</login-module>

</application-policy>

By the way my database is oracle. and i jave defined myDS in oracle-ds.xml in the deploy directory of my server.

I have the jboss-web.xml in the same directory of the web.xml of my web application. It has the following entry

<security-domain>java:/jaas/jbossdatabaseBilling</security-domain>

finally in the web.xml file i added the following sections

<security-role>
<role-name>users</role-name>
</security-role>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>whatever</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>upgradebundle</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>

-----

I am still being redirected to the error page. Any hint ? Please i need help
Actions
4. Re: Setting up database authentication in JBoss using JAAS

peterj Mar 7, 2007 4:20 PM (in response to monocongo)

Not sure if this is the cause, but under < security-constraint >, the role name is upgradebundle, while in < security-role >, it is user. I think these two should be the same.

Are the password store in the database in plain text?

The DatabaseServerLoginModule does support logging at the TRACE level, but it probably doesn't tell you want you want to know. It will, for instance, state what SQL statement it is using for getting the password, but then doesn't say what it got, only if it matched. Similarly, it doesn't tell you what roles it found. What I did was added more logging to that class to debug my access (actually, I did this with the LDAP login module, but the same thing would work for database).

Finally, you should have started a new topic rather than appending to a 3 year old topic.
Actions

Go to original post