DatabaseServerLoginModule
georgy Jul 3, 2007 12:33 PMHi
I am triying to authenticate user with the DatabaseServerLoginModule module against a mysql database. First i created two tables :
CREATE TABLE `proxiad`.`principals` ( `PrincipalID` varchar(64) NOT NULL default '', `Password` varchar(64) default NULL, PRIMARY KEY (`PrincipalID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; CREATE TABLE `proxiad`.`roles` ( `PrincipalID` varchar(64) default NULL, `Role` varchar(64) default NULL, `RoleGroup` varchar(64) default NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Then i inserted data
insert into roles values('g.mahop','Authenticated','Roles') insert into roles values('g.mahop','Admin','Roles') insert into principals values('g.mahop','toto')
Finally i modified the jboss-portal.sar/conf/login-config.xml this way :
<?xml version='1.0'?> <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ JBoss, a division of Red Hat ~ ~ Copyright 2006, Red Hat Middleware, LLC, and individual ~ ~ contributors as indicated by the @authors tag. See the ~ ~ copyright.txt in the distribution for a full listing of ~ ~ individual contributors. ~ ~ ~ ~ This is free software; you can redistribute it and/or modify it ~ ~ under the terms of the GNU Lesser General Public License as ~ ~ published by the Free Software Foundation; either version 2.1 of ~ ~ the License, or (at your option) any later version. ~ ~ ~ ~ This software is distributed in the hope that it will be useful, ~ ~ but WITHOUT ANY WARRANTY; without even the implied warranty of ~ ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ~ ~ Lesser General Public License for more details. ~ ~ ~ ~ You should have received a copy of the GNU Lesser General Public ~ ~ License along with this software; if not, write to the Free ~ ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ~ ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~--> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <!-- For the JCR CMS --> <application-policy name="cms"> <authentication> <login-module code="org.apache.jackrabbit.core.security.SimpleLoginModule" flag="required"/> </authentication> </application-policy> <application-policy name="portal"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/PortalDS</module-option> <module-option name="principalsQuery"> select passwd from Users username where username=?</module-option> <module-option name="rolesQuery"> select userRoles, 'Roles' from UserRoles where username=?</module-option> </login-module> <!-- <login-module code="org.jboss.security.ClientLoginModule" flag="required" /> <login-module code ="org.jboss.portal.identity.auth.DBIdentityLoginModule" flag = "required"> <module-option name ="unauthenticatedIdentity">guest</module-option> <module-option name ="dsJndiName">java:/PortalDS</module-option> <module-option name = "principalsQuery">SELECT Password FROM principals WHERE PrincipalID=?</module-option> <module-option name = "rolesQuery">Select Role,'Roles' from roles where PrincipalID=?</module-option> </login-module>--> <!--To configure LDAP support with IdentityLoginModule please check documentation on how to configure portal identity modules for this <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option> <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="password-stacking">useFirstPass</module-option> </login-module> --> <!--Use can use this module instead of IdentityLoginModule to bind to LDAP. It simply extends JBossSX LdapExtLoginModule so all configuration that can be applied to LdapExtLoginModule also can be applied here. For user that was authenticated successfully it will try to take identity modules from portal, check if such user (and roles it belongs to) is present, and if not it will try to create them. Then for all roles assigned to this authenticated principal it will try to check and create them using identity modules. This behaviour can be disabled using "synchronizeRoles". You can also define one "defaultAssignRole" that will be always assigned to synchronized user. It is also possible to set option "synchronizeIdentity" to "false" so this module will act exactly like LdapExtLoginModule but it will inject role defined in "additionalRole". For obvious reasons this is designed to use with portal identity modules configured with DB and not LDAP--> <!--There is also SynchronizingLDAPLoginModule which provide the same set of options on top of JBossSX LdapLoginModule--> <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required"> <module-option name="synchronizeIdentity">true</module-option> <module-option name="synchronizeRoles">true</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="defaultAssignedRole">User</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option> <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://example.com:10389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">cn=Directory Manager</module-option> <module-option name="bindCredential">lolo</module-option> <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option> <module-option name="baseFilter">(uid={0})</module-option> <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleRecursion">-1</module-option> <module-option name="searchTimeLimit">10000</module-option> <module-option name="searchScope">SUBTREE_SCOPE</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module>--> <!--This login module should be placed at the end of authentication stack. It always returns true in login() method so it should be always "optional" and exists after other "required" module in the stack. It will try to synchronize authenticated user into portal store using portal identity modules. Each subject principal assigned by previous modules will be tried to synchronize into portal as a role. --> <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional"> <module-option name="synchronizeIdentity">true</module-option> <module-option name="synchronizeRoles">true</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="defaultAssignedRole">User</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option> <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option> </login-module>--> <!--Uncomment this if you want to fall down to users kept in DB if LDAP authentication fails This may be usefull if you want to use Admin user provided with portal database schema--> <!--Note that this may lead to the security risk - with LDAP when storing user profile information that are not mapped as attribute you may have LDAP user synchronized into DB with no password set. Please see HibernateUserProfileImpl module options "synchronizeNonExistingUsers", "acceptOtherImplementations" "defaultSynchronizePassword" or "randomSynchronizePassword" to manage this behaviour--> <!--<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient"> <module-option name="dsJndiName">java:/PortalDS</module-option> <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option> <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option> <module-option name="additionalRole">Authenticated</module-option> </login-module>--> </authentication> </application-policy> </policy>
But when i log in using correct principals, it looks like i don't have 'Admin' rights, in fact it looks like i am not logged since the 'Login' link appears on the page (top right).
If i use wrong principals, 'null' is displayed instead of the usual message 'User doesn't exist or...'
I am using JBOSS Portal 2.6 GA (bundle version)
Can somebody help me?