1 Reply Latest reply on Mar 31, 2011 8:31 AM by noeternity

    Authorization issue while implementing login module with DatabaseServerLoginModule

    c-ddhesh

      Hi all
      I am new to jboss. I am trying to implement form based authentication using DatabaseServerLoginModule using jboss 6.0
      By referring guides and several tutorials I implemented and configured it. My application is working till authentication phase.
      Authorization fails giving following errors in logs. Here are my logs

       

      11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Obtained user password

      11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction

      11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User'sidd' authenticated, loginOk=true

      11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true

      11:18:53,240 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] getRoleSets

      using rolesQuery: SELECT Role, RoleGroup FROM Roles WHERE PrincipalID=?,username: sidd

      11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction

      11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query:

      SELECT Role, RoleGroup FROM Roles WHERE PrincipalID=?, with username: sidd

      11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role WebAppUser

      11:18:53,256 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction

      11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-web] defaultLogin,

      lc=javax.security.auth.login.LoginContext@1b7a59c, subject=Sub

      ject(21185284).principals=org.jboss.security.SimplePrincipal@15004845(sidd)org.j

      boss.security.SimpleGroup@24878804(WebAppUser(members:WebAppUser))

      11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w

      eb] updateCache, inputSubject=Subject(21185284).principals=org.jboss.security.Si

      mplePrincipal@15004845(sidd)org.jboss.security.SimpleGroup@24878804(WebAppUser(m

      embers:WebAppUser)), cacheSubject=Subject(16292112).principals=org.jboss.securit

      y.SimplePrincipal@15004845(sidd)org.jboss.security.SimpleGroup@24878804(WebAppUs

      er(members:WebAppUser))

      11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w

      eb] Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase

      $DomainInfo@10908b5[Subject(16292112).principals=org.jboss.security.SimplePrinci

      pal@15004845(sidd)org.jboss.security.SimpleGroup@24878804(WebAppUser(members:Web

      AppUser)),credential.class=java.lang.String@13809944,expirationTime=129731868574

      1]

      11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w

      eb] End isValid, true

      11:18:53,256 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.my-w

      eb] getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManage

      rBase$DomainInfo@10908b5[Subject(16292112).principals=org.jboss.security.SimpleP

      rincipal@15004845(sidd)org.jboss.security.SimpleGroup@24878804(WebAppUser(member

      s:WebAppUser)),credential.class=java.lang.String@13809944,expirationTime=1297318

      685741]

      11:18:53,272 TRACE [org.jboss.security.SecurityRolesAssociation] Setting threadl

      ocal:null

      11:18:53,272 TRACE [org.jboss.security.SecurityRolesAssociation] Setting threadl

      ocal:{}

      11:18:53,272 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationC

      ontext] Control flag for entry:org.jboss.security.authorization.config.Authoriza

      tionModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorization

      Module:{}REQUIRED}is:[REQUIRED]

      11:18:53,287 TRACE [org.jboss.security.SecurityRolesAssociation] Setting threadl

      ocal:null

       

       

      Here is my Databse called book having following structure

       

        CREATE TABLE IF NOT EXISTS Principals (

          PrincipalID varchar(30) NOT NULL PRIMARY KEY,

          Password varchar(50) NOT NULL

        ) ENGINE=INNODB;

       

       

        CREATE TABLE IF NOT EXISTS Roles (

          PrincipalID varchar(30) NOT NULL,

          INDEX (PrincipalID),

          Role varchar(50) NOT NULL,

          RoleGroup varchar(50) NULL,

          PRIMARY KEY(PrincipalID, Role),

          CONSTRAINT Roles_Principal_FK FOREIGN KEY (PrincipalID)

            REFERENCES Principals (PrincipalID) ON DELETE CASCADE

        ) ENGINE=INNODB;

       

      values of "PrincipalID" and "Password" are  "sidd"  and "pass".
      values "PrincipalID"  "Role"  "RoleGroup" are "sidd" "WebAppUser" "WebAppUser"

      My web.xml is as follows

       

      <?xml version="1.0"?>

      <web-app>

          <description>A test app for security</description>

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>All resources</web-resource-name>

                  <description>Protects all resources</description>

                  <url-pattern>/*</url-pattern>

                  <http-method>GET</http-method>

                  <http-method>POST</http-method>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>WebAppUser</role-name>

              </auth-constraint>

          </security-constraint>

       

          <security-role>

              <role-name>WebAppUser</role-name>

          </security-role>

       

          <login-config>

              <auth-method>FORM</auth-method>

                  <form-login-config>

                      <form-login-page>/login.html</form-login-page>

                      <form-error-page>/errors.html</form-error-page>

                  </form-login-config>

          </login-config>

      </web-app>

       


      login-config.xml has following entry

       

          <application-policy name="my-web">

              <authentication>

                  <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"

                                flag="required">

                      <module-option name="dsJndiName">java:/MySqlDS</module-option>

                      <module-option name="principalsQuery">SELECT Password FROM Principals WHERE PrincipalID=?</module-option>

                      <module-option name="rolesQuery">SELECT Role, RoleGroup FROM Roles WHERE PrincipalID=?</module-option>

                  </login-module>

              </authentication>

            <authorization>

               <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>

            </authorization>

         </application-policy>

       

       

      jboss-web.xml has following text

       

      <?xml version='1.0' encoding='UTF-8' ?>

      <jboss-web>

        <security-domain>java:/jaas/my-web</security-domain>

      </jboss-web>

       

      Even if I remove
             <authorization>
                <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
             </authorization>
      from login-config.xml, I get the same error.

      As per the logs, user "sidd" is getting authenticated successfully. But on GUI i see

      HTTP Status 403 - Access to the requested resource has been denied
      type Status report
      message Access to the requested resource has been denied
      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

      Am i missing on any flag or any configuration ?