5 Replies Latest reply on Oct 30, 2003 3:19 AM by Jochen Cordes

    j_security_check

    judybramlette Newbie

      Can anyone tell me how a person would go about tracking down what happens in j_security_check? I have a form jsp which requests users to logon with the following code



      In checkdocument() I have an alert to show me the values of j_username and j_password. Both of these show correctly but I never get logged into the database. It always routes me to my error login page.

      Below is the login information in my web.xml:
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>OracleDbRealm</realm-name>
      <form-login-config>
      <form-login-page>/login/Login.jsp</form-login-page>
      <form-error-page>/login/LoginError.jsp</form-error-page>
      </form-login-config>
      </login-config>

      I am trying to connect to an Oracle 9i database. I am using JBoss 3.2. What files outside of my oracle-ds.xml and my login-config.xml files control this "black box" that I need to look at?

      Any help will be greatly appreciated.

        • 1. Re: j_security_check
          Jochen Cordes Novice

          Hi !

          Have a look at jboss-web.xml in your WEB-INF directory. There must be an entry with a matching name for the realm-name in web.xml and application-policy-name in login-config.xml. A minimal jboss-web.xml should look like this:

          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">

          <jboss-web>
          <security-domain>java:/jaas/OracleDbRealm</security-domain>

          </jboss-web>

          HTH,

          Jochen.

          • 2. Re: j_security_check
            judybramlette Newbie

            My jboss-web.xml looks correct:

            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN"
            "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">
            <jboss-web>
            <security-domain>java:/jaas/OracleDbRealm</security-domain>
            <resource-ref>
            <res-ref-name>mail/Mail</res-ref-name>
            <res-type>javax.mail.Session</res-type>
            <jndi-type>java:/Mail</jndi-type>
            <jndi-name>Mail</jndi-name>
            </resource-ref>
            </jboss-web>

            I use to be able to connect. But I'm trying to fix an issue that we started seeing once we deployed production. For most of the application the person logged on drives how the application operates and it seems that the session variable loaded in the filter we have set up wasn't doing what we thought it was. I've now read quite a bit on this subject but I can't say that I fully understand what I've read. I did find an article on the www.luminis.nl site in their publications titled websecurity.html which spelled out a solution. I'm now trying to implement this solution but ran into this issue. As part of this trial I ended up changing our client-login module to use the JBoss ClientLoginModule versus one that was written in house. But I can't see it getting past the j_security_check.

            Let me know if I'm mistranslating something or going in the wrong direction. Any suggestions?

            Thanks.

            • 3. Re: j_security_check
              judybramlette Newbie

              I forgot to mention that I also changed my jboss configuration to match what we have in production. I went from 3.04 to 3.2.

              • 4. Re: j_security_check
                Jochen Cordes Novice

                Did you try the DatabaseServerLoginModule? There was a slight change from JBoss 3.0.x to 3.2.x. At least it works for me with Jetty (don't know why it doen't work with tomcat, though). Here's an example (for MySQL, change accordingly for your Oracle-DB):

                <application-policy name = "OracleDbRealm">

                <login-module code ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                <module-option name ="unauthenticatedIdentity">Anyone</module-option>
                <module-option name="dsJndiName">java:/jdbc/OracleDS</module-option>
                <module-option name="test">test</module-option>
                <module-option name="principalsQuery">SELECT password FROM user WHERE login=?</module-option>
                <module-option name="rolesQuery">SELECT role_name, role_group FROM role, user, user_role WHERE user.login=? AND
                user.id = user_role.user_id AND user_role.role_id = role.id</module-option>
                <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
                </login-module>
                <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
                </login-module>

                </application-policy>



                • 5. Re: j_security_check
                  Jochen Cordes Novice

                  I just found an article, that might be off interest for you. Here's the link http://forum.java.sun.com/thread.jsp?forum=61&thread=452691&tstart=0&trange=15

                  Bye,

                  Jochen.