5 Replies Latest reply on Oct 30, 2003 3:19 AM by jcordes

    j_security_check

    judybramlette
    judybramlette Oct 27, 2003 4:31 PM

      Can anyone tell me how a person would go about tracking down what happens in j_security_check? I have a form jsp which requests users to logon with the following code



      In checkdocument() I have an alert to show me the values of j_username and j_password. Both of these show correctly but I never get logged into the database. It always routes me to my error login page.

      Below is the login information in my web.xml:
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>OracleDbRealm</realm-name>
      <form-login-config>
      <form-login-page>/login/Login.jsp</form-login-page>
      <form-error-page>/login/LoginError.jsp</form-error-page>
      </form-login-config>
      </login-config>

      I am trying to connect to an Oracle 9i database. I am using JBoss 3.2. What files outside of my oracle-ds.xml and my login-config.xml files control this "black box" that I need to look at?

      Any help will be greatly appreciated.

      • 4226 Views
      • Tags:
        • 1. Re: j_security_check
          jcordes
          jcordes Oct 27, 2003 10:13 PM (in response to judybramlette)

          Hi !

          Have a look at jboss-web.xml in your WEB-INF directory. There must be an entry with a matching name for the realm-name in web.xml and application-policy-name in login-config.xml. A minimal jboss-web.xml should look like this:

          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">

          <jboss-web>
          <security-domain>java:/jaas/OracleDbRealm</security-domain>

          </jboss-web>

          HTH,

          Jochen.

            • Actions
          • 2. Re: j_security_check
            judybramlette
            judybramlette Oct 28, 2003 9:16 AM (in response to judybramlette)

            My jboss-web.xml looks correct:

            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN"
            "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">
            <jboss-web>
            <security-domain>java:/jaas/OracleDbRealm</security-domain>
            <resource-ref>
            <res-ref-name>mail/Mail</res-ref-name>
            <res-type>javax.mail.Session</res-type>
            <jndi-type>java:/Mail</jndi-type>
            <jndi-name>Mail</jndi-name>
            </resource-ref>
            </jboss-web>

            I use to be able to connect. But I'm trying to fix an issue that we started seeing once we deployed production. For most of the application the person logged on drives how the application operates and it seems that the session variable loaded in the filter we have set up wasn't doing what we thought it was. I've now read quite a bit on this subject but I can't say that I fully understand what I've read. I did find an article on the www.luminis.nl site in their publications titled websecurity.html which spelled out a solution. I'm now trying to implement this solution but ran into this issue. As part of this trial I ended up changing our client-login module to use the JBoss ClientLoginModule versus one that was written in house. But I can't see it getting past the j_security_check.

            Let me know if I'm mistranslating something or going in the wrong direction. Any suggestions?

            Thanks.

              • Actions
            • 3. Re: j_security_check
              judybramlette
              judybramlette Oct 28, 2003 9:34 AM (in response to judybramlette)

              I forgot to mention that I also changed my jboss configuration to match what we have in production. I went from 3.04 to 3.2.

                • Actions
              • 4. Re: j_security_check
                jcordes
                jcordes Oct 28, 2003 11:49 AM (in response to judybramlette)

                Did you try the DatabaseServerLoginModule? There was a slight change from JBoss 3.0.x to 3.2.x. At least it works for me with Jetty (don't know why it doen't work with tomcat, though). Here's an example (for MySQL, change accordingly for your Oracle-DB):

                <application-policy name = "OracleDbRealm">

                <login-module code ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                <module-option name ="unauthenticatedIdentity">Anyone</module-option>
                <module-option name="dsJndiName">java:/jdbc/OracleDS</module-option>
                <module-option name="test">test</module-option>
                <module-option name="principalsQuery">SELECT password FROM user WHERE login=?</module-option>
                <module-option name="rolesQuery">SELECT role_name, role_group FROM role, user, user_role WHERE user.login=? AND
                user.id = user_role.user_id AND user_role.role_id = role.id</module-option>
                <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
                </login-module>
                <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
                </login-module>

                </application-policy>



                  • Actions
                • 5. Re: j_security_check
                  jcordes
                  jcordes Oct 30, 2003 3:19 AM (in response to judybramlette)

                  I just found an article, that might be off interest for you. Here's the link http://forum.java.sun.com/thread.jsp?forum=61&thread=452691&tstart=0&trange=15

                  Bye,

                  Jochen.

                    • Actions