5 Replies Latest reply on Nov 13, 2001 9:29 PM by Allen Fogleson

    JBoss Form-based Login Question

    charles Newbie

      hi all
      i wrote some servlets and html pages and packaged it into a WAR file with web.xml according to Servlet specification 2.2. In web.xml i put the following entries for achieving security (Form based)

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>SecurePages</web-resource-name>
      secure directory
      <url-pattern>/secure/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>

      <auth-constraint>
      only let the system user login
      <role-name>admin</role-name>
      </auth-constraint>

      <user-data-constraint>
      SSL not required
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>

      </security-constraint>


      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/LoginForm.html</form-login-page>
      <form-error-page>/LoginError.html</form-error-page>
      </form-login-config>
      </login-config>


      <security-role>
      The Secure ROLE
      <role-name>admin</role-name>
      </security-role>

      and in the custom login Form, i gave



      Username:
      Password:







      We are seing the loging form upon accessing the servlet from http://localhost:8080/secure/; But the submit button results in error 404 Not found path/ j_security_check. We are using JBoss-2.4.1_Jetty-3.1.RC9-1 devlopment environment under windows98.

      We woul like to know two things:
      where to define the username/password and groups for authorization.
      Any other jboss specific xml file included in the .war file.

      thanks & Regards.

        • 1. Re: JBoss Form-based Login Question
          Allen Leung Newbie

          I use FORM authentication in jboss-tomcat, it is fine, I can give you my config as follow(hope that it is similar):

          You need to specify the security-domain in a file jboss-web.xml under the web-inf folder of your war file, something as follows:

          <?xml version="1.0" encoding="UTF-8"?>

          <jboss-web>
          <security-domain>java:/jaas/example1</security-domain>
          </jboss-web>

          Where the security-domain "java:/jaas/example1" is defined in auto.conf file(under <jboss-jetty home>/conf) as follows:

          example1 {
          // A properties file LoginModule that supports CallerPrincipal mapping
          org.jboss.security.auth.spi.UsersRolesLoginModule required
          ;
          };

          Then you need to specify the user names on file users.properties and map the role name of the user on file roles.properties(in your example, it should map to role "admin"). Both these two files should be on the top directory of your war file.

          You can read http://www.jboss.org/documentation/HTML/ch13s70.html
          for details.

          • 2. Re: JBoss Form-based Login Question
            Joel Shellman Newbie

            You might want to upgrade to a newer version of Jetty. I don't remember which version, but the j_security_check 404 bug was fixed recently. Try upgrading and see if that fixes your problem.

            • 3. Re: JBoss Form-based Login Question
              Steve Liu Newbie

              You'd better place user and role informations in database, flexible than properties files.

              • 4. Re: JBoss Form-based Login Question
                Oliver Newbie

                > You'd better place user and role informations in
                > database, flexible than properties files.


                But how can I do it?

                • 5. Re: JBoss Form-based Login Question
                  Allen Fogleson Newbie

                  you can set up a database login module fairly easily. make a table for the roles, and one for users/passwords. In my case the users table is multi purposed, but it has a username and password field. (you can call them whatever you want.)

                  they are your basic varchar(64) fields.

                  the roles table is a bit more complex... it has 3 fields (this is not the "complex" part) they are...

                  USERNAME
                  ROLE
                  ROLEGROUP

                  Again they are varchar(64) fields...

                  now the data in the user table is obvious. (lets assume you named the fields username and password.... if not later when we do auth.conf change the names there)

                  in the role table you will have minimally 2 rows per user...

                  so for my user (foglesa) they will look like this...

                  username role Rolegroup
                  foglesa someRole Roles
                  foglesa Caller_foglesa Caller_Principal

                  You can have multiple roles simply by adding more entries with different 'role' in rolegoup Roles.

                  Now add a configuration to auth.conf like this...

                  datalogin {
                  org.jboss.security.auth.spi.DatabaseServerLoginModule required
                  dsJndiName="java:/someDS"
                  principalsQuery="select Password from users where userName=?"
                  rolesQuery="select Role, RoleGroup from Roles where userName=?" ;
                  };


                  now in a jboss.xml or jboss-web.xml you can denote security by adding the line

                  <security-domain>java:/jaas/datalogin</security-domain>

                  Easy maintenance.

                  Al

                  P.s. this is all covered quite well in the docs. search on JAAS on the documents page and you should come up with it quite fast (i forget the url right offhand.)