Multiple Roles in Web Application
tbar0711 Jul 14, 2010 4:04 AMHi,
I need to know how I can configure multiple roles for my web application. I use form based authentication and JBoss 4.2.3.
Here is what I have tried so far. But here is something wrong. People that assigned to productB or productC are not able to log in. productB-Users are only able to login if I remove the roles productA and productC within web.xml and login-config.xml. productC-Users are only able to login if I remove the roles productA and productB within web.xml and login-config.xml.
For example:
Only 3 Roles are allowed to access my application.
Role 1 = productA
Role 2 = productB
Role 3 = productC
The role specific views I handle within my application.
The role productA has product specific access to A products.
The role productB has product specific access to B products.
The role productC has product specific access to C products.
In web.xml within my web project I have configured the following stuff:
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Pages</web-resource-name>
<url-pattern>/index.html</url-pattern>
<url-pattern>/pages/productView.jsf</url-pattern>
<url-pattern>/pages/storeproduct.jsf</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>productA</role-name>
<role-name>productB</role-name>
<role-name>productC</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/pages/login.html</form-login-page>
<form-error-page>/pages/login_error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Product A</description>
<role-name>productA</role-name>
</security-role>
<security-role>
<description>Product B</description>
<role-name>productB</role-name>
</security-role>
<security-role>
<description>Product C</description>
<role-name>productC</role-name>
</security-role>
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/products</security-domain>
</jboss-web>
login-config.xml:
<application-policy name="products">
<authentication>
<login-module code="de.security.JNDILoginModule" flag="sufficient">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://ldap.myldapserver:123/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="principalDNPrefix">cn=</module-option>
<module-option name="principalDNSuffix">,ou=usrs,ou=de,o=company</module-option>
<module-option name="rolesCtxDN">ou=a,ou=roles,o=company</module-option>
<module-option name="rolesCtxDN">ou=b,ou=roles,o=company</module-option>
<module-option name="rolesCtxDN">ou=c,ou=roles,o=company</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="truststore">${jboss.server.home.dir}/conf/ldap.truststore</module-option>
<module-option name="truststorepw">mytruststorepw</module-option>
</login-module>
</authentication>
</application-policy>
Am I doing something wrong? Isn't it allowed to have three "rolesCtxDN" module options within login-config.xml?
Thanks in advance.
Regards
Tom