1 Reply Latest reply on Jul 14, 2010 6:04 AM by tbar0711

    Multiple Roles in Web Application

    tbar0711 Newbie

      Hi,

       

      I need to know how I can configure multiple roles for my web application. I use form based authentication and JBoss 4.2.3.

      Here is what I have tried so far. But here is something wrong. People that assigned to productB or productC are not able to log in. productB-Users are only able to login if I remove the roles productA and productC within web.xml and login-config.xml. productC-Users are only able to login if I remove the roles productA and productB within web.xml and login-config.xml.

       

      For example:

      Only 3 Roles are allowed to access my application.

      Role 1 = productA

      Role 2 = productB

      Role 3 = productC

       

      The role specific views I handle within my application.

       

      The role productA has product specific access to A products.

      The role productB has product specific access to B products.

      The role productC has product specific access to C products.

       

      In web.xml within my web project I have configured the following stuff:

       

      <security-constraint>
              <display-name>Security Constraint</display-name>
              <web-resource-collection>
                    <web-resource-name>Protected Pages</web-resource-name>
                    <url-pattern>/index.html</url-pattern>
                    <url-pattern>/pages/productView.jsf</url-pattern>
                    <url-pattern>/pages/storeproduct.jsf</url-pattern>
                    <http-method>GET</http-method>
                    <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>productA</role-name>
                  <role-name>productB</role-name>

                  <role-name>productC</role-name>

              </auth-constraint>
           </security-constraint>
           <login-config>
              <auth-method>FORM</auth-method>
              <realm-name>Form-Based Authentication Area</realm-name>
              <form-login-config>
                    <form-login-page>/pages/login.html</form-login-page>
                    <form-error-page>/pages/login_error.html</form-error-page>
              </form-login-config>
          </login-config>
          <security-role>
              <description>Product A</description>
              <role-name>productA</role-name>
          </security-role>

          <security-role>
               <description>Product B</description>
               <role-name>productB</role-name>
           </security-role>

          <security-role>
               <description>Product C</description>
               <role-name>productC</role-name>
           </security-role>

       

      jboss-web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
          <security-domain>java:/jaas/products</security-domain>
      </jboss-web>

       

      login-config.xml:

       

      <application-policy name="products">
              <authentication>
                  <login-module code="de.security.JNDILoginModule" flag="sufficient">
                      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                      <module-option name="java.naming.provider.url">ldap://ldap.myldapserver:123/</module-option>
                      <module-option name="java.naming.security.authentication">simple</module-option>
                      <module-option name="java.naming.security.protocol">ssl</module-option>
                      <module-option name="principalDNPrefix">cn=</module-option>
                      <module-option name="principalDNSuffix">,ou=usrs,ou=de,o=company</module-option>
                      <module-option name="rolesCtxDN">ou=a,ou=roles,o=company</module-option>
                      <module-option name="rolesCtxDN">ou=b,ou=roles,o=company</module-option>

                      <module-option name="rolesCtxDN">ou=c,ou=roles,o=company</module-option>

                      <module-option name="roleAttributeID">cn</module-option>
                      <module-option name="roleAttributeIsDN">false</module-option>
                      <module-option name="uidAttributeID">member</module-option>
                      <module-option name="matchOnUserDN">true</module-option>
                      <module-option name="allowEmptyPasswords">false</module-option>
                      <module-option name="truststore">${jboss.server.home.dir}/conf/ldap.truststore</module-option>
                      <module-option name="truststorepw">mytruststorepw</module-option>
                  </login-module>
              </authentication>
          </application-policy>

       

       

      Am I doing something wrong? Isn't it allowed to have three "rolesCtxDN" module options within login-config.xml?

       

      Thanks in advance.

       

      Regards

      Tom