2 Replies Latest reply: Jun 22, 2012 2:15 AM by ionutvaidianu RSS

    JAAS Login issue

    ionutvaidianu Newbie

      Hello,

       

      I'm quite new to JBoss AS, so please bare with me and any help is appreciated.

       

      Here is my problem: I have a RichFaces web application and I want to restrict access to most of the pages. As far as I have found so far the best way (opened for suggetions and debate here) to secure content is at container level by defining a security domain and a module that will authorize the users so they can be able to access secured pages.

       

      I have done all the configuration, the pages are protected, but even from a user that authenticates. In other words event after authentication I get redirected to the login page and cannot access any of the protected pages. I get no error / message in the server console (The log level for CONSOLE is on DEBUG).

       

      Is it a known issue, is there a WA for it or am I doing something wrong?

       

      Thanks!

       

      Here is the setup:

      JBoss AS 7.1.1 Final, standalone configuration.

       

      The security domain (the associated datasource is functional because at some point I got wrong password in the server console):

       

                      <security-domain name="SecuredRealm">

                          <authentication>

                              <login-module code="Database" flag="required">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/securityDS"/>

                                  <module-option name="principalsQuery" value="select passwd from Users where username=?"/>

                                  <module-option name="rolesQuery" value="select userRoles,'Roles' from UserRoles where username=?"/>

                                  <module-option name="hashAlgorithm" value="MD5"/>

                                  <module-option name="hashEncoding" value="base64"/>

                                  <module-option name="unauthenticatedIdentity" value="guest"/>

                                  <module-option name="maxInvalidLoginAttempts" value="5"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      jboss-web.xml

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

          <security-domain>java:/jaas/SecuredRealm</security-domain>

      </jboss-web>

       

      web.xml

       


      <security-constraint>


      <web-resource-collection>



      <web-resource-name>SecuredRealm</web-resource-name>



      <url-pattern>/*</url-pattern>



      <http-method>GET</http-method>



      <http-method>POST</http-method>


      </web-resource-collection>


      <auth-constraint>



      <role-name>*</role-name>


      </auth-constraint>

       



      <!-- <user-data-constraint> -->


      <!-- <transport-guarantee>CONFIDENTIAL</transport-guarantee> -->


      <!-- </user-data-constraint> -->

      </security-constraint>

       

       


      <security-constraint>


      <web-resource-collection>



      <web-resource-name>Unprotected area</web-resource-name>



      <url-pattern>/resources/*</url-pattern>


      </web-resource-collection>

      </security-constraint>

       

       


      <login-config>


      <auth-method>FORM</auth-method>


      <realm-name>SecuredRealm</realm-name>


      <form-login-config>



      <form-login-page>/jasl.jsf</form-login-page>



      <form-error-page>/jasl.jsf</form-error-page>


      </form-login-config>

      </login-config>

      <security-role>


      <role-name>admin</role-name>

      </security-role>

      <security-role>


      <role-name>normal</role-name>

      </security-role>