Hi Jaikiran,

I  followed the given URL http://community.jboss.org/wiki/SecurityFAQ I looked for a file conf/log4j.xml. But at jboss-5.1.0.CA such file does not exist, but conf/jboss-config.xml. Therefore I made the according changes for enabling TRACE level in the file conf/jboss-log4j.xml of the according server instance.

But I don't know where, i.e in which file, the TRACE DEBUG information is written. It does not appear on the terminal console. Where does the tracing appears?

But, because I suppose there might be a problem a nother login module, in the file "conf/login-config.xml I commented out all application-policies besides the one of the LdapLoginModule being related to the security-domain "myWebApp" of my application.

Now the error message

:38:42,107 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role  files
java.io.IOException: No properties file: users.properties or  defaults: defaultUsers.properties found
at  org.jboss.security.auth.spi.Util.loadProperties(Util.java:198)

...

does no longer occurs, but nevertheless one cannot login with the according ldap-username and ldap-password account.

I'm not sure, if the Ldap modules "LoginLdapModule" and "LoginExtLdapModule" are able to get the  right DN name, if the "principalDNSuffix" is empty following the (unfortunately only in German) given instructions on

"http://www.imixs.com/websites/imixs-com.nsf/chapter/0020.0100.0030.?OpenDocument" when using Domino. We don't use "Domino", but OpenLadp.

I'm not sure, if for OpenLdap it is allowed too, to led the "principalDNSuffix" empty, i.e.

<module-option  name="principalDNSufffix"></module-option>

I did this, because we have an Ldap hierachy like

uid=uid, ou=department, ou=users, dc=domainPart1,dc=domainPart2

where uid has the unique user account.

Therefore I can't use a common "prinicipalDNSuffix", because it differs from user to user in dependence on the department the user belongs to.

And therefore also the prinicpalDNPrefix is

<module-option  name="principalDNPrefix">uid=</module-option>

instead of

<module-option  name="principalDNPrefix">cn=</module-option>

But up to now the login via ldap is not working.

Does somebody has an idea and can me help to solve this problem?

Thx

Hi,

I've just realized with the help of TRACE/DEBUG that instead of taking the application policy as defined in the login-config.xml, namely

<application-policy name="myWebApp">
      <authentication>

          <login-module code="org.jboss.security.auth.spi.LdapLoginModule">

           ...

       </login-module>

  </application-policy-name>

when trying to login on my EJB Webapplication, always the default  configuration by any security domain that does not have an

application-policy entry with a matching name as defined by default in the login-config.xml of JBoss 5.1.0.GA is used. And because this default  should not be used of course no properties file for this is defined. Uncommenting or deleting the default configuration from the login-config.xml does not solve the problem, because my application-policy for my security domain "myWebApp" is ignored.

I don't understand why this happpens. I've believed the security domain "myWebApp" for the context-root "myWebApp" is correct, but most probably not. I'll give the content of the according deployment descriptors below for completness. Maybe somebody sees and knows what might cause the problem:

My web.xml looks like:

And the web.xml is:

<?xml version="1.0"  encoding="UTF-8"?>

<web-app version="2.5"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <display-name>JAAS</display-name>

    <security-constraint>
       <display-name>myWebApp</display-name>
         <web-resource-collection>
             <web-resource-name>instituteKurz</web-resource-name>
             <url-pattern>/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
          </web-resource-collection>
         <auth-constraint>
             <role-name>*</role-name>
          </auth-constraint>
         <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
   </security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>myWebApp</realm-name>
</login-config>

and in the jboss-web.xml, I've defined the security domain, namely:

The jboss-web.xml has the content:

<?xml version="1.0"  encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
     "-//JBoss//DTD Web Application 5.0//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
    <security-domain>java:/jaas/myWebApp</security-domain>
    <context-root>/myWebApp</context-root>
</jboss-web>

and this is security domain is also specified in the the jboss.xml:

The content of the  jboss.xml is:

<?xml version="1.0"  encoding="UTF-8"?>
<jboss>
    <security-domain>myWebApp</security-domain>
</jboss>

Additional I'm using also the application.xml deployment descriptor which has the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application
   PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN"
   "http://java.sun.com/dtd/application_1_3.dtd">
<application>
   <display-name>myWebApp</display-name>
   <module>
      <ejb>myWebApp.jar</ejb>
   </module>
   <module>
      <web>
         <web-uri>myWebApp.war</web-uri>
         <context-root>myWebApp</context-root>
      </web>
   </module>
</application>