my security domain is not used
shenz Mar 17, 2010 7:56 AMHi,
I've just realized with the help of TRACE/DEBUG that instead of taking the application policy as defined in the login-config.xml, namely
<application-policy name="myWebApp">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule">
...
</login-module>
</application-policy-name>
when trying to login on my EJB Webapplication, always the default configuration by any security domain that does not have an
application-policy entry with a matching name as defined by default in the login-config.xml of JBoss 5.1.0.GA is used. And because this default should not be used of course no properties file for this is defined. Uncommenting or deleting the default configuration from the login-config.xml does not solve the problem, because my application-policy for my security domain "myWebApp" is ignored.
I don't understand why this happpens. I've believed the security domain "myWebApp" for the context-root "myWebApp" is correct, but most probably not. I'll give the content of the according deployment descriptors below for completness. Maybe somebody sees and knows what might cause the problem:
My web.xml looks like:
And the web.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>JAAS</display-name>
<security-constraint>
<display-name>myWebApp</display-name>
<web-resource-collection>
<web-resource-name>instituteKurz</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myWebApp</realm-name>
</login-config>
and in the jboss-web.xml, I've defined the security domain, namely:
The jboss-web.xml has the content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/myWebApp</security-domain>
<context-root>/myWebApp</context-root>
</jboss-web>
and this is security domain is also specified in the the jboss.xml:
The content of the jboss.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<jboss>
<security-domain>myWebApp</security-domain>
</jboss>
Additional I'm using also the application.xml deployment descriptor which has the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application
PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN"
"http://java.sun.com/dtd/application_1_3.dtd">
<application>
<display-name>myWebApp</display-name>
<module>
<ejb>myWebApp.jar</ejb>
</module>
<module>
<web>
<web-uri>myWebApp.war</web-uri>
<context-root>myWebApp</context-root>
</web>
</module>
</application>