4 Replies Latest reply on Dec 20, 2001 9:42 AM by Jan Heise

    JAAS & FORM/BASIC authentication

    Robert Price Newbie

      I've tried this on the JBoss2.4.3/Jetty3.1.3-1 combo AND the JBoss2.4.3/Tomcat3.2.3 combo and get the same results, so I guess it's something to do with the setup.

      I'm trying to secure a certain url-pattern but everytime I hit that context root, it let's me in without any authentication prompts, etc.

      I've tried BASIC authentication as well as FORM-based, but neither work. Here are my configuration files - can someone tell me what is wrong?

      -------------------------------------------------------
      web.xml:
      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN' 'http://java.sun.com/j2ee/dtds/web-app_2_2.dtd'>

      <web-app>

      <servlet-name>home</servlet-name>
      <jsp-file>home.jsp</jsp-file>
      <load-on-startup>0</load-on-startup>


      <servlet-name>setup</servlet-name>
      <jsp-file>setup.jsp</jsp-file>
      <load-on-startup>0</load-on-startup>


      <servlet-name>customize</servlet-name>
      <jsp-file>customize.jsp</jsp-file>
      <load-on-startup>0</load-on-startup>


      <security-constraint>
      <web-resource-collection>
      <web-resource-name>AdminPages</web-resource-name>
      Security for iPac2.0 Administration
      <url-pattern>/admin/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>admin</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <security-role>
      Authorized iPac2.0 Administrators
      <role-name>admin</role-name>
      </security-role>

      <session-config>
      <session-timeout>500</session-timeout>
      </session-config>

      <welcome-file-list>
      <welcome-file>home.jsp</welcome-file>
      </welcome-file-list>

      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/login.html</form-login-page>
      <form-error-page>/error.html</form-error-page>
      </form-login-config>
      </login-config>
      </web-app>

      *Note: I've tried putting the standard http-methods (GET, POST, PUT, etc.) in the web-resource-collection too, but that didn't work either. I'm of the understanding that by putting NOTHING here, ALL methods are secured.(??)

      -------------------------------------------------------
      jboss-web.xml:
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
      <security-domain>java:/jaas/ipac20admin</security-domain>
      </jboss-web>

      -------------------------------------------------------
      auth.conf (in proper conf/jetty or conf/tomcat dir):
      // Put login modules providing authentication and realm mappings
      // for security domains.

      ipac20admin {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:/ipac_admin"
      principalsQuery="SELECT PASSKEY FROM PRINCIPALS WHERE PRINCIPALID=?"
      rolesQuery="SELECT ROLE_ID, ROLEGROUP FROM ROLES WHERE PRINCIPALID=?"
      ;
      };

      simple {
      org.jboss.security.auth.spi.SimpleServerLoginModule required;
      };

      client-login {
      org.jboss.security.ClientLoginModule required;
      };

      // The default server login module
      other {
      org.jboss.security.auth.spi.UsersRolesLoginModule required
      unauthenticatedIdentity="nobody";

      };

      -------------------------------------------------------

      Anything else anyone needs?

      If I go the login form manually and try to login, I get a /j_security_check not found error. I read somewhere that this won't work if you hit it manually.


      I really hope someone can shed some light on this because I've been staring at this problem for over 6 hours now!


        • 1. Re: JAAS & FORM/BASIC authentication
          Luke Taylor Novice

          A wild guess - you talk about "hitting that context root" which sounds like you're trying to protect the whole web application context. Remember that the url pattern is relative to your web context (a common misconception), so you are protecting

          /webappcontext/admin

          not

          /admin

          in the file you have shown. But you don't say under what context name you've deployed your app, so I can't tell for sure.

          • 2. Re: JAAS & FORM/BASIC authentication
            Robert Price Newbie

            That was exactly my problem. My context root was /admin, but I found out (through trial and error) that if I shifted it down a level, then I could secure it. So, the context is now /sa_tools/admin and /admin is secured.

            This is a newbie question but is that some standard? That you cannot secure the application context? (/sa_tools in the example above)

            • 3. Re: JAAS & FORM/BASIC authentication
              Luke Taylor Novice

              You can't refer to the context name in your web.xml file because it may change or be specified in an ear (in the application.xml file). So you only refer to it relatively.

              I've never bothered about securing the root context, and I'm not sure it would make sense because your form login page, error page and so on would go there and you have to access them without being authenticated.

              I don't know the details of what takes precedence, but check the servlet spec if you really want to know - it may be possible using a url like "/*" or something.

              • 4. Re: JAAS & FORM/BASIC authentication
                Jan Heise Newbie

                hey, i once did that. was quite funny to look at.
                the auth stuff tried to load the login-form, the
                login form was protected by security, so it tried
                to load the login-form and so on. so better not do
                it.