0 Replies Latest reply on Feb 8, 2002 10:31 AM by mlipper

    Catalina/JBoss Realm configuration

    mlipper

      Hmmm, I posted this to the Security forum and got no reply so I'll give it another go.

      OK -

      I must be missing something obvious (and/or doing something really bone-headed). I have set up and successfully deployed my app in JBoss-2.4.4_Tomcat-4.0.1.
      My web context is deployed in Catalina using FORM based authentication and I am using the JBoss DatabaseServerLoginModule to authenticate all users. This works fine and when I request a protected web resource, Catalina behaves as expected by collecting and authenticating my form data. However when I try to reference the current request's security info

      Principal principal = ((HttpServletRequest)request).getUserPrincipal();

      the references are all null. I'm guessing that either I have not configured things correctly or that in order to work directly with Catalina container security(Realms?!) I have to get a proper reference like so:

      // Create the initial context
      Context ctx = new InitialContext();

      // Look up an object
      JaasSecurityManager securityManager = (JaasSecurityManager)ctx.lookup("java:/jaas/dclLogin");

      I guess what I'm asking here is what is the proper way to configure/deploy my web apps so that the standard role info is available for programatic inspection and manipulation? Selected portions of my conf files are as follows:

      //auth.conf (Shown in full)
      dclLogin {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:/PostgresDS"
      principalsQuery="select password from customer where username=?"
      rolesQuery="SELECT p.permission_type, p.role_group FROM login_account l, permission_type p WHERE p.permission_type = l.permission_type AND l.username=?"
      unauthenticatedIdentity=nobody
      ;
      };

      //jboss-web.xml
      <jboss-web>
      <security-domain>java:/jaas/dclLogin</security-domain>

      <ejb-ref>
      <ejb-ref-name>ejb/SecuredEJB</ejb-ref-name>
      <jndi-name>dcl/PublicSession</jndi-name>
      </ejb-ref>
      <ejb-ref>
      <ejb-ref-name>ejb/PrivateEJB</ejb-ref-name>
      <jndi-name>dcl/PrivateSession</jndi-name>
      </ejb-ref>

      </jboss-web>

      //web.xml
      <!-- ### Security -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      Security test
      <url-pattern>/admin/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>SUPER_USER</role-name>
      <role-name>RESOURCE_OWNER</role-name>
      <role-name>RESOURCE_ADMIN</role-name>
      <role-name>RESOURCE_CUSTOMER</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      Golden God!
      <role-name>SUPER_USER</role-name>
      </security-role>

      <security-role>
      Context Owner
      <role-name>RESOURCE_OWNER</role-name>
      </security-role>

      <security-role>
      Context Admin
      <role-name>RESOURCE_ADMIN</role-name>
      </security-role>

      <security-role>
      End User
      <role-name>RESOURCE_CUSTOMER</role-name>
      </security-role>

      I haven't altered Catalina's server.xml and Catalina's JDBC realm works fine when I deploy a stand alone Web container.

      Any help or advice is greatly appreciated!

      Thanks,

      Matt