4 Replies Latest reply on Aug 5, 2005 8:10 AM by Dominique Jean-Prost

    Migrating from Weblogic to JBoss : problem with wepapp authe

    Dominique Jean-Prost Newbie

      Hello,


      I'm currently trying to migrate a webapp from weblogic8.1 to JBoss, and I'm meeting a problem I hadn't with WLS.

      My webapp has a <security-constraint> section with <auth-constraint>. I'm using Form authentication with DB Realm. My problem is that I can log in my webapp, but I get a 403 saying I'm not allowed to access ressources.

      I checked several things :
      - I can log in, ie login/password are checked against DB, so this part works. If I give a wrong password, I get <form-error-page> page.
      - I added a piece of code in my 403.jsp. I added 3 lines :
      0. System.out.println(request.getRemoteUser()); --> return djeanprost
      1. System.out.println(request.isUserInRole("collaborateur")); where collaborateur is a group of my group table. --> Return true, which is normal to me.
      2. System.out.println(request.isUserInRole("utilisateurCollaborateur")); --> false
      utilisateurCollaborateur is a role I specified in the <auth-constraint> section in the web.xml. I also have a <security-role> section where I declare the utilisateurCollaborateur role name. In my jboss-web.xml, I have a
      <security-role>
      <role-name>utilisateurCollaborateur</role-name>
      <principal-name>collaborateur</principal-name>
      <principal-name>djeanprost</principal-name>
      </security-role>

      where I map utilisateurCollaborateur to collaborateur and djeanprost. I added the principal name djeanprost to add a test : it does not work neither.

      I conclude the mapping from utilisateurCollaborateur to collaborateur is not done.

      Where am I wrong ?

      Regards,
      Dom

        • 1. Re: Migrating from Weblogic to JBoss : problem with wepapp a
          Dominique Jean-Prost Newbie

          I precise that if in my jboss-web.xml I use a <role-name> which is not declared in a <security-role> of the web.xml, the webapp is not deployed saying there is a mistake in the jboss-web.xml, which is normal.
          So, my problem is that utilisateurCollaborateur is not mapped to the <principal-name> I provided.

          Is there a debug feature I could turn on to help me find out what's going wrong ?

          • 2. Re: Migrating from Weblogic to JBoss : problem with wepapp a
            Scott Stark Master

            the only use of principal-name in the security-role is to assign additional roles to run-as principals. Authenticated users obtain their roles from the jaas login.

            • 3. Re: Migrating from Weblogic to JBoss : problem with wepapp a
              Dominique Jean-Prost Newbie

              Hello Scott and thank you for answering,

              I think I don't understand the whole thing, though it's clear to me when I use Weblogic. Maybe you can help me to improve my undestanding of jboss, can't you ?

              What I understand :

              Application developer want to restraitn access to specific URL and so use a <security-constraint> with a <auth-constraint>. From what I understand, the <role-name> of the <auth-constraint> are "logical" roles, ie, roles that as a business sense from the application developer point of view. In my case, the logical role is "utilisateurCollaborateur". For each <role-name> you use in the <auth-constraint>, you have to add a <security-role> in you web.xml

              As the application developer is not the application deployer, there has to be a way to do the mapping that says which users have the roles the application developer need to deal with. Actually, I believe the way to do that is the use of jboss-web.xml.
              In Jboss-web.xml, for each role you mentioned in the <auth-constraint>, you have to the mapping "role-name" <--> "principal-name", where principal-name is the name of a user or a group you can find in you security realm. You can have several realm users/groups that builds a single role. That allows to avoid spreading application specific groups in the realm that exists anyway. As the realm is managed elsewhere and in it users may belong to specific group (I don't say role here), the whole thing has sense to me, and that's what I understand from the jboss documentation that I read carefully. This allow the application developer to use request.isUserInRole too, using <security-role>, instead of real groups of the db.

              If it's not the way it works, can you tell me where I'm wrong ?

              I'm looking forward to your answer.
              Dom

              "scott.stark@jboss.org" wrote:
              the only use of principal-name in the security-role is to assign additional roles to run-as principals. Authenticated users obtain their roles from the jaas login.


              • 4. Re: Migrating from Weblogic to JBoss : problem with wepapp a
                Dominique Jean-Prost Newbie

                After many research, I think the answer is here :
                http://wiki.jboss.org/wiki/Wiki.jsp?page=PortingFromWeblogic

                For weblogic users :
                There is a important difference between jboss and weblogic for webapp (and I suppose for EJB too) :

                In weblogic : you can map a role to realm groups/users using the weblogic.xml. You can have user "joe" and group "users" that build a single role "theRole" you referenced in your web.xml. This way allows to avoid having "applications" group to be spread in the realm.

                In Jboss : the role-name you provide in your web.xml must be the group name you have in your realm (I don't think this word is useable in a jboss world). At the moment, I don't really understand what jboss-web.xml is aimed at concerning these features.

                To my mind, it's a little limitation jboss developer could look at.

                I hope this post will help former weblogic users

                Dom