Dear all,
When I move my MyStore project from JBoss 3.2.3 to JBoss 4.0.0, my security policy didn't work. When I use the same login name and password login into JBoss 3.2.3 and Jboss 4.0.0, JBoss 3.2.3 allowed to access my servlet but Jboss 4.0.0 didn't allow.
Here is part of application policy in login-config.xml.
<application-policy name = "Mystore"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "dsJndiName">java:/DefaultDS</module-option> <module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option> <module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option> </login-module> </authentication> </application-policy>
<security-constraint> <web-resource-collection> <web-resource-name>access</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the access web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Access</realm-name> </login-config> <security-role> <role-name>JBossAdmin</role-name> </security-role>