0 Replies Latest reply on Sep 23, 2007 12:02 PM by Toni Beckman

    Unauthenticated Principal

    Toni Beckman Novice

      Hi,

      how can I grant unauthenticated users access to parts of my webapplication? I have read that we have to use the tag <unauthenticated-principal> in order to do this. Here is my configuration, maybe somebody can help me out?

      
      ----------- important part of web.cml -------------------------
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Unsecure area</web-resource-name>
       <description>Unprotected Pages</description>
      
       <url-pattern>/homepage.seam</url-pattern>
       <url-pattern>/about.seam</url-pattern>
      
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>All people</description>
       <role-name>guest</role-name>
       </auth-constraint>
       </security-constraint>
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Secure area</web-resource-name>
       <description>Security for Protected Pages</description>
      
       <url-pattern>*.seam</url-pattern>
       <url-pattern>*.jsp</url-pattern>
      
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>All areas are restived</description>
       <role-name>Admin</role-name>
       </auth-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>userDatabase</realm-name>
       <form-login-config>
       <form-login-page>/login.seam</form-login-page>
       <form-error-page>/loginError.seam</form-error-page>
       </form-login-config>
       </login-config>
      
       <security-role>
       <description>The role of an adminr</description>
       <role-name>Admin</role-name>
       </security-role>
      
       <security-role>
       <description>Any body</description>
       <role-name>guest</role-name>
       </security-role>
      </web-app>
      
      ---------------------- userDatabase login config ------------------------
      
       <application-policy name="userDatabase">
       <authentication>
       <login-module
       code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag="required">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="dsJndiName">
       java:/PostgresqlDS
       </module-option>
       <module-option name="principalsQuery">
       SELECT password FROM systemuser WHERE login=?
       </module-option>
       <module-option name="rolesQuery">
       SELECT r.rolename, r.p_group FROM systemuser as o, role as r, systemuser_role as pr WHERE o.login=pr.systemuser_login AND r.roleName = pr.roles_roleName AND o.login=?
       </module-option>
       </login-module>
      
       </authentication>
       </application-policy>
      
      -------------------------------- i also added jboss.xml to my ear archive ---
      
      
       <!DOCTYPE jboss PUBLIC
       "-//JBoss//DTD JBOSS 4.0//EN"
       "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
      
      <jboss>
      
       <security-domain>java:/jaas/userDatabase</security-domain>
       <unauthenticated-principal>guest</unauthenticated-principal>
      
      </jboss>
      
      
      -----------------------------------------------
      
      Unfortuantely unauthenticated people can't access "/homepage.seam" before loggin in.