3 Replies Latest reply on Sep 17, 2002 3:09 AM by Rouiller

    JBoss/Jetty JAAS transient Roles problem

    Joel Shellman Newbie

      I've been fighting with this for hours and I'm really at the end of my rope. Please if someone can give me a clue to what's going on. I'm using Jboss2.4.3/Jetty3.1.1 bundle except I have dropped in the Jetty3.1.2 jar because it fixes a different FORM based login bug.

      The problem is transient so far as I can tell--at least I don't know what's causing it..

      Can someone please tell me how to get form based auth working with jetty/jboss? I have three sections of site /user, /member, and /admin.
      /user can only access /user, /member can access /user and /member, and
      admin can access any of the three. What are the entries in:
      jboss.jcml (if anything other than default)
      auth.conf
      web.xml
      jboss-web.xml
      anything else? that I need to get it to work correctly and consistently? It keeps working for a little while, ie. I can access the restricted area and then stops working. Sometimes it doesn't allow access to the restricted area at all to begin with--sometimes I can 1 click, sometimes I can click around the restricted area a little while before it failes.

      I get:

      [Jetty] +++ JBossUserRealm.getUser, username=joel@ikestrel.com
      [Jetty] Authorizing access, username: joel@ikestrel.com
      [Jetty] User: joel@ikestrel.com is authorized

      but then I'll suddenly start getting these: [Jetty] +++ JBossUserRealm.getUser, username=joel@ikestrel.com
      [Jetty] Authorizing access, username: joel@ikestrel.com
      [Jetty] User: joel@ikestrel.com is NOT authorized, requiredRoles=[admin]
      [Jetty] WARNING: AUTH FAILURE: role for joel@ikestrel.com

      Why??? Here's my auth.conf:

      Allsense {
      /* A JDBC based LoginModule
      LoginModule options:
      dsJndiName: The name of the DataSource of the database containing the
      Principals, Roles tables
      principalsQuery: The prepared statement query equivalent to:
      "select Password from Principals where PrincipalID=?"
      rolesQuery: The prepared statement query equivalent to:
      "select Role, RoleGroup from Roles where PrincipalID=?"
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      */
      org.ikestrel.internet.ecommerce.LoginModule required
      dsJndiName="java:/AllsenseDS"
      principalsQuery="SELECT password FROM Member WHERE userEmail=?"
      rolesQuery="SELECT userType, 'Roles' FROM Member where userEmail=?"
      ;
      };

      where org.ikestrel.internet.ecommerce.LoginModule is exactly the same
      code as the newest org.jboss.security.auth.spi.DatabaseServerLoginModule
      (it has been updated recently), though I get the exact same problems
      with org.jboss.security.auth.spi.DatabaseServerLoginModule anyway.

      web.xml:

      <web-app>
      <welcome-file-list>
      <welcome-file>index.htm</welcome-file>
      </welcome-file-list> <!-- ### Security -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>LoginArea</web-resource-name>
      Users/Members only
      <url-pattern>/user/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>user</role-name>
      <role-name>member</role-name>
      <role-name>admin</role-name>
      </auth-constraint>
      </security-constraint> <security-constraint>
      <web-resource-collection>
      <web-resource-name>MemberArea</web-resource-name>
      Member Only
      <url-pattern>/member/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>user</role-name>
      <role-name>member</role-name>
      </auth-constraint>
      </security-constraint> <security-constraint>
      <web-resource-collection>
      <web-resource-name>AdminArea</web-resource-name>
      Admin Only
      <url-pattern>/admin/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>admin</role-name>
      </auth-constraint>
      </security-constraint> <login-config>
      <!--
      <auth-method>BASIC</auth-method>
      -->
      <realm-name>JAAS Common Sense Login</realm-name>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login-error.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      A user allowed to invoke acces
      <role-name>user</role-name>
      </security-role> <security-role>
      A user allowed to invoke echo methods
      <role-name>member</role-name>
      </security-role> <security-role>
      A user allowed to invoke echo methods
      <role-name>admin</role-name>
      </security-role> <session-config>
      <session-timeout>15</session-timeout> <!-- 15 minutes -->
      </session-config>
      </web-app>


      jboss-web.xml

      <?xml version="1.0" encoding="UTF-8"?> <jboss-web>
      <security-domain>java:/jaas/Allsense</security-domain>
      </jboss-web>


      jboss.jcml is the same as default as far as Jaas is concerned. I'm using postgresql for db (7.0.3).
      Please, can anyone find what's wrong or point me in the right direction?

      How do I turn on appropriate debugging in JBoss that might help debug it?