7 Replies Latest reply on Mar 3, 2012 2:18 AM by Jaime Poch

    Getting 403 for secured webapp resources in JBoss 7

    Shaun Kalley Newbie

      I've created a simple webapp to test basic database-driven security in JBoss 7 and I always get a 403 response code after going through the login.

       

      Here's my set up; I'm currently deploying to jboss-as-web-7.0.2.Final.  Any help would be greatly appreciated; thanks in advance.

       

      Shaun

       

       

      web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>
      
      <web-app xmlns="http://java.sun.com/xml/ns/javaee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
               version="3.0">
      
          <servlet>
              <servlet-name>test</servlet-name>
              <servlet-class>com.authtest.TestServlet</servlet-class>
              <security-role-ref>
                  <role-name>red</role-name>
                  <role-link>red</role-link>
              </security-role-ref>
          </servlet>
      
          <servlet-mapping>
              <servlet-name>test</servlet-name>
              <url-pattern>/test/*</url-pattern>
          </servlet-mapping>
      
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>test</web-resource-name>
                  <url-pattern>/test/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>red</role-name>
              </auth-constraint>
          </security-constraint>
      
          <login-config>
              <auth-method>FORM</auth-method>
              <form-login-config>
                  <form-login-page>/login.jsp</form-login-page>
                  <form-error-page>/loginError.jsp</form-error-page>
              </form-login-config>
          </login-config>
      
          <security-role>
              <role-name>red</role-name>
          </security-role>
      
      </web-app>
      

       

      jboss-web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>
      
      <jboss-web>
          <context-root>authtest</context-root>
          <security-domain>authtestrealm</security-domain>
      </jboss-web>
      

       

      login.jsp:

       

      Username: 
      Password: 

       

      standalone.xml:

       

              <subsystem xmlns="urn:jboss:domain:logging:1.1">
              ...
                  <logger category="org.jboss.security">
                      <level name="TRACE"/>
                  </logger>
                  <logger category="org.jboss.as.web.security">
                      <level name="TRACE"/>
                  </logger>
                  <logger category="org.apache.catalina">
                      <level name="TRACE"/>
                  </logger>
              ...
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:datasources:1.0">
                  <datasources>
                      <datasource jndi-name="java:jboss/datasources/dev" pool-name="dev" enabled="true" jta="true" use-java-context="true" use-ccm="true">
                          <connection-url>jdbc:oracle:thin:@localhost:1521:pod</connection-url>
                          <driver>ora</driver>
                          <pool>
                              <prefill>false</prefill>
                              <use-strict-min>false</use-strict-min>
                              <flush-strategy>FailingConnectionOnly</flush-strategy>
                          </pool>
                          <security>
                              <user-name>webapp</user-name>
                              <password>c0wb0y</password>
                          </security>
                      </datasource>
                      <drivers>
                          <driver name="ora" module="oracle.jdbc">
                              <xa-datasource-class>oracle.jdbc.OracleDriver</xa-datasource-class>
                          </driver>
                      </drivers>
                  </datasources>
              </subsystem>
              ...
              <subsystem xmlns="urn:jboss:domain:security:1.0">
                  <security-domains>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Disabled" flag="required"/>
                          </authentication>
                      </security-domain>
                      <security-domain name="authtestrealm" cache-type="default">
                          <authentication>
                              <login-module code="Database" flag="required">
                                  <module-option name="dsJndiName" value="java:jboss/datasources/dev"/>
                                  <module-option name="principalsQuery" value="select password from principals where username = ?"/>
                                  <module-option name="rolesQuery" value="select role, roles from roles where username = ?"/>
                                  <module-option name="suspendResume" value="false"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                  </security-domains>
              </subsystem>
      

       

      SQL script:

       

      create table principals (
        username varchar2(20),
        password varchar2(20)
      );
      
      create table roles (
        username varchar2(20),
        role varchar2(20),
        roles varchar2(20)
      );
      
      insert into principals (username, password) values ('shaun', 'kalley');
      insert into roles (username, role, roles) values ('shaun', 'red', 'red');
      

       

      logging from initial request (brings up login from):

       

      11:59:52,070 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /authtest/test
      11:59:52,072 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[test]' against GET /test --> true
      11:59:52,072 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[test]' against GET /test --> true
      11:59:52,072 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
      11:59:52,072 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   User data constraint has no restrictions
      11:59:52,072 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
      11:59:52,078 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Save request in session '+4RNOZAXZ4TgPKiNFVGoqsPE'
      11:59:52,730 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/authtest].[jsp]] (http--127.0.0.1-8080-1)  Disabling the response for futher output
      11:59:52,731 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/authtest].[jsp]] (http--127.0.0.1-8080-1)  The Response is vehiculed using a wrapper: org.apache.catalina.connector.Response
      11:59:52,736 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed authenticate() test
      

       

      logging after login form submission:

       

      12:00:10,657 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request POST /authtest/j_security_check
      12:00:10,658 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authenticating username 'shaun'
      12:00:10,660 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Begin isValid, principal:shaun, cache entry: null
      12:00:10,661 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=shaun
      12:00:10,662 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(authtestrealm), size=2
      12:00:10,666 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(authtestrealm), authInfo=AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=principalsQuery, value=select password from principals where username = ?
      name=dsJndiName, value=java:jboss/datasources/dev
      name=suspendResume, value=false
      name=rolesQuery, value=select role, roles from roles where username = ?
      
      
      12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) initialize
      12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Security domain: authtestrealm
      12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) DatabaseServerLoginModule, dsJndiName=java:jboss/datasources/dev
      12:00:10,670 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) principalsQuery=select password from principals where username = ?
      12:00:10,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) rolesQuery=select role, roles from roles where username = ?
      12:00:10,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) suspendResume=false
      12:00:10,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) login
      12:00:11,318 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: select password from principals where username = ?, with username: shaun
      12:00:11,660 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Obtained user password
      12:00:11,664 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) User 'shaun' authenticated, loginOk=true
      12:00:11,664 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) commit, loginOk=true
      12:00:11,666 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) getRoleSets using rolesQuery: select role, roles from roles where username = ?, username: shaun
      12:00:11,671 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Excuting query: select role, roles from roles where username = ?, with username: shaun
      12:00:11,704 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http--127.0.0.1-8080-1) Assign user to role red
      12:00:11,706 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@45609812, subject=Subject(2056220004).principals=org.jboss.security.SimplePrincipal@1582759704(shaun)org.jboss.security.SimpleGroup@562409739(CallerPrincipal(members:shaun))org.jboss.security.SimpleGroup@562409739(red(members:red))
      12:00:11,707 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) updateCache, inputSubject=Subject(2056220004).principals=org.jboss.security.SimplePrincipal@1582759704(shaun)org.jboss.security.SimpleGroup@562409739(CallerPrincipal(members:shaun))org.jboss.security.SimpleGroup@562409739(red(members:red)), cacheSubject=Subject(91739523).principals=org.jboss.security.SimplePrincipal@1582759704(shaun)org.jboss.security.SimpleGroup@562409739(CallerPrincipal(members:shaun))org.jboss.security.SimpleGroup@562409739(red(members:red))
      12:00:11,708 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@6aceb8e2
      12:00:11,710 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) End isValid, true
      12:00:11,710 TRACE [org.jboss.as.web.security.JBossWebRealm] (http--127.0.0.1-8080-1) User: shaun is authenticated
      12:00:11,719 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Authentication of 'shaun' was successful
      12:00:11,719 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Redirecting to original '/authtest/test'
      12:00:11,719 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed authenticate() test ??/authtest/j_security_check
      12:00:11,722 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Security checking request GET /authtest/test
      12:00:11,722 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[test]' against GET /test --> true
      12:00:11,722 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking constraint 'SecurityConstraint[test]' against GET /test --> true
      12:00:11,722 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling hasUserDataPermission()
      12:00:11,723 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   User data constraint has no restrictions
      12:00:11,723 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling authenticate()
      12:00:11,723 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Restore request from session '+4RNOZAXZ4TgPKiNFVGoqsPE'
      12:00:11,723 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Authenticated 'shaun' with type 'FORM'
      12:00:11,724 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http--127.0.0.1-8080-1) Proceed to restored request
      12:00:11,724 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Calling accessControl()
      12:00:11,724 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1)   Checking roles GenericPrincipal[shaun()]
      12:00:11,724 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Username shaun does NOT have role red
      12:00:11,724 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) No role found:  red
      12:00:11,724 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1)  Failed accessControl() test