Getting 403 for secured webapp resources in JBoss 7
I've created a simple webapp to test basic database-driven security in JBoss 7 and I always get a 403 response code after going through the login.
Here's my set up; I'm currently deploying to jboss-as-web-7.0.2.Final. Any help would be greatly appreciated; thanks in advance.
Shaun
web.xml:
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <servlet> <servlet-name>test</servlet-name> <servlet-class>com.authtest.TestServlet</servlet-class> <security-role-ref> <role-name>red</role-name> <role-link>red</role-link> </security-role-ref> </servlet> <servlet-mapping> <servlet-name>test</servlet-name> <url-pattern>/test/*</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/test/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>red</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginError.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>red</role-name> </security-role> </web-app>
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>authtest</context-root> <security-domain>authtestrealm</security-domain> </jboss-web>
login.jsp:
standalone.xml:
<subsystem xmlns="urn:jboss:domain:logging:1.1"> ... <logger category="org.jboss.security"> <level name="TRACE"/> </logger> <logger category="org.jboss.as.web.security"> <level name="TRACE"/> </logger> <logger category="org.apache.catalina"> <level name="TRACE"/> </logger> ... </subsystem> <subsystem xmlns="urn:jboss:domain:datasources:1.0"> <datasources> <datasource jndi-name="java:jboss/datasources/dev" pool-name="dev" enabled="true" jta="true" use-java-context="true" use-ccm="true"> <connection-url>jdbc:oracle:thin:@localhost:1521:pod</connection-url> <driver>ora</driver> <pool> <prefill>false</prefill> <use-strict-min>false</use-strict-min> <flush-strategy>FailingConnectionOnly</flush-strategy> </pool> <security> <user-name>webapp</user-name> <password>c0wb0y</password> </security> </datasource> <drivers> <driver name="ora" module="oracle.jdbc"> <xa-datasource-class>oracle.jdbc.OracleDriver</xa-datasource-class> </driver> </drivers> </datasources> </subsystem> ... <subsystem xmlns="urn:jboss:domain:security:1.0"> <security-domains> <security-domain name="other" cache-type="default"> <authentication> <login-module code="Disabled" flag="required"/> </authentication> </security-domain> <security-domain name="authtestrealm" cache-type="default"> <authentication> <login-module code="Database" flag="required"> <module-option name="dsJndiName" value="java:jboss/datasources/dev"/> <module-option name="principalsQuery" value="select password from principals where username = ?"/> <module-option name="rolesQuery" value="select role, roles from roles where username = ?"/> <module-option name="suspendResume" value="false"/> </login-module> </authentication> </security-domain> </security-domains> </subsystem>
SQL script:
create table principals (
username varchar2(20),
password varchar2(20)
);
create table roles (
username varchar2(20),
role varchar2(20),
roles varchar2(20)
);
insert into principals (username, password) values ('shaun', 'kalley');
insert into roles (username, role, roles) values ('shaun', 'red', 'red');
logging from initial request (brings up login from):
11:59:52,070 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /authtest/test 11:59:52,072 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[test]' against GET /test --> true 11:59:52,072 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[test]' against GET /test --> true 11:59:52,072 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling hasUserDataPermission() 11:59:52,072 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) User data constraint has no restrictions 11:59:52,072 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling authenticate() 11:59:52,078 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Save request in session '+4RNOZAXZ4TgPKiNFVGoqsPE' 11:59:52,730 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/authtest].[jsp]] (http--127.0.0.1-8080-1) Disabling the response for futher output 11:59:52,731 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/authtest].[jsp]] (http--127.0.0.1-8080-1) The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response 11:59:52,736 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Failed authenticate() test
logging after login form submission:
12:00:10,657 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request POST /authtest/j_security_check 12:00:10,658 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authenticating username 'shaun' 12:00:10,660 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Begin isValid, principal:shaun, cache entry: null 12:00:10,661 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=shaun 12:00:10,662 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(authtestrealm), size=2 12:00:10,666 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(authtestrealm), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=principalsQuery, value=select password from principals where username = ? name=dsJndiName, value=java:jboss/datasources/dev name=suspendResume, value=false name=rolesQuery, value=select role, roles from roles where username = ? 12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) initialize 12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Security domain: authtestrealm 12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) DatabaseServerLoginModule, dsJndiName=java:jboss/datasources/dev 12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) principalsQuery=select password from principals where username = ? 12:00:10,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) rolesQuery=select role, roles from roles where username = ? 12:00:10,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendResume=false 12:00:10,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) login 12:00:11,318 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: select password from principals where username = ?, with username: shaun 12:00:11,660 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Obtained user password 12:00:11,664 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) User 'shaun' authenticated, loginOk=true 12:00:11,664 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) commit, loginOk=true 12:00:11,666 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) getRoleSets using rolesQuery: select role, roles from roles where username = ?, username: shaun 12:00:11,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: select role, roles from roles where username = ?, with username: shaun 12:00:11,704 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Assign user to role red 12:00:11,706 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@45609812, subject=Subject(2056220004).principals=org.jboss.security.SimplePrincipal@1582759704(shaun)org.jboss.security.SimpleGroup@562409739(CallerPrincipal(members:shaun))org.jboss.security.SimpleGroup@562409739(red(members:red)) 12:00:11,707 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) updateCache, inputSubject=Subject(2056220004).principals=org.jboss.security.SimplePrincipal@1582759704(shaun)org.jboss.security.SimpleGroup@562409739(CallerPrincipal(members:shaun))org.jboss.security.SimpleGroup@562409739(red(members:red)), cacheSubject=Subject(91739523).principals=org.jboss.security.SimplePrincipal@1582759704(shaun)org.jboss.security.SimpleGroup@562409739(CallerPrincipal(members:shaun))org.jboss.security.SimpleGroup@562409739(red(members:red)) 12:00:11,708 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@6aceb8e2 12:00:11,710 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) End isValid, true 12:00:11,710 TRACE [org.jboss.as.web.security.JBossWebRealm] (http--127.0.0.1-8080-1) User: shaun is authenticated 12:00:11,719 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authentication of 'shaun' was successful 12:00:11,719 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Redirecting to original '/authtest/test' 12:00:11,719 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Failed authenticate() test ??/authtest/j_security_check 12:00:11,722 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /authtest/test 12:00:11,722 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[test]' against GET /test --> true 12:00:11,722 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[test]' against GET /test --> true 12:00:11,722 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling hasUserDataPermission() 12:00:11,723 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) User data constraint has no restrictions 12:00:11,723 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling authenticate() 12:00:11,723 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Restore request from session '+4RNOZAXZ4TgPKiNFVGoqsPE' 12:00:11,723 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Authenticated 'shaun' with type 'FORM' 12:00:11,724 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Proceed to restored request 12:00:11,724 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling accessControl() 12:00:11,724 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking roles GenericPrincipal[shaun()] 12:00:11,724 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Username shaun does NOT have role red 12:00:11,724 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) No role found: red 12:00:11,724 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Failed accessControl() test
