13 Replies Latest reply on Apr 3, 2002 1:25 PM by Kevin Seal

    Unable to get j_security_check to work...!

    Kevin Seal Newbie

      Hi - I've been having real trouble getting form-based authentication to work on JBoss 2.4.4.
      I'm trying to restrict access to two folders (called user and admin respectively). When the user is unauthorised I get the login form page displayed. However, regardless of the username/password I am able to access the restricted areas!
      I've written a very simply login JSP (posting to j_security_check) and specified the two protected resources in web.xml (eg):

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>adminPages</web-resource-name>
       <description>Pages visible only to administrators</description>
       <url-pattern>/admin/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>Administrator</role-name>
       </auth-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>Default</realm-name>
       <form-login-config>
       <form-login-page>/util/login.jsp</form-login-page>
       <form-error-page>/util/login-error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      
      
       <security-role>
       <role-name>User</role-name>
       </security-role>
      
       <security-role>
       <role-name>Administrator</role-name>
       </security-role>
      


      I've checked auth.conf in the "catalina" config directory of JBoss and removed the simple authentication module but that's had no effect.
      I intend to store user information in an entity bean eventually but there doesn't seem to be a convenient way to tie this into form-based authentication (!).

      Can anyone point me in the right direction here?
      Many thanks.

        • 1. Re: Unable to get j_security_check to work...!
          Luke Taylor Novice

          Hi,

          Your web.xml looks OK.

          You need to give more information on what else you've tried... have you traced the execution through the server logs for instance?

          You say you've checked the auth.conf, but you don't say exactly what you've got in there. What authentication modules are you using?

          Luke.

          • 2. Re: Unable to get j_security_check to work...!
            Wellie Chao Newbie

            In your jboss-web.xml file, make sure you have an entry like so:

            <security-domain>java:/jaas/{XXX}</security-domain>

            The {XXX} should be the name of the authentication method specified in the JBoss auth.conf file.

            • 3. Re: Unable to get j_security_check to work...!
              Kevin Seal Newbie

              Thanks for your replies guys.
              I've not traced the execution through the server logs (indeed, I'm so new to JBoss that I wouldn't know where to start with that either!!).
              I have tried removing all the authentication methods in auth.conf except the one that uses users.properties and roles.properties (presumably these should be in the configuration directory or somewhere on the classpath).
              Initially I thought the behaviour I was seeing was due to the "simple" authentication method which accepts anyone and gives them the "user" role (which coincides with a role that I'm using) but it turns out that is not the case since they can also access pages restricted to the "Administrator" role.

              I'll try the <security-domain> suggestion sometime.

              If I wanted to store the usernames/passwords in an Entity bean, how would I go about integrating that with form-based authentication?

              Thanks again.

              • 4. Re: Unable to get j_security_check to work...!
                Wellie Chao Newbie

                You'd want to use the DatabaseServerLoginModule like so:

                dbAuthMethod {
                org.jboss.security.auth.spi.DatabaseServerLoginModule required
                dsJndiName="java:/MyDataSource"
                principalsQuery="select password from user_tbl where username = ?"
                rolesQuery="select user_role, 'Roles' from user_tbl where username = ?"
                unauthenticatedIdentity=guest
                ;
                };

                That is if you have one table (i.e. only one role per user). If you have two tables (one for users, one for roles), you'll want to modify the rolesQuery setting.

                • 5. Re: Unable to get j_security_check to work...!
                  Wellie Chao Newbie

                  You'll also need to make changes to the web.xml descriptor:

                  <login-config>
                  <auth-method>FORM</auth-method>
                  <form-login-config>
                  <form-login-page>/security/login.do</form-login-page>
                  <form-error-page>/security/loginError.do</form-error-page>
                  </form-login-config>
                  </login-config>

                  You can change the page settings as necessary. I'm assuming you already have the security-constraint blocks set up.

                  • 6. Re: Unable to get j_security_check to work...!
                    Kevin Seal Newbie

                    Is that really the only way to get JBoss to validate a username/password and load the roles associated with a user?
                    For a start it assumes that the table format is known; with CMP that's quite a stretch! Surely you should be able to instruct the server whether a username/password is valid and specify the roles programmatically? Obviously EJB2.0 goes someway to fixing this but it still doesn't permit you to store the passwords encrypted and it requires that your username provides the foreign key.
                    Any ideas how to go about writing your own login module?

                    • 7. Re: Unable to get j_security_check to work...!
                      Kevin Seal Newbie

                      Aargh - It's still not working! I've tried the security-domain in just about every XML file I can find and still no joy.
                      If anyone's got any clue as to how/whether this should work then I'd really appreciate the help.

                      my auth.conf:

                      OhComeOn
                      {
                       org.jboss.security.auth.spi.UsersRolesLoginModule required;
                      };
                      


                      my web.xml:
                      <?xml version="1.0" encoding="UTF-8"?>
                      
                      <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
                      
                      <web-app>
                      
                       <display-name>Recipe Book WAR</display-name>
                       <description>Recipe Book Web Application</description>
                      
                       <error-page>
                       <exception-type>java.lang.Exception</exception-type>
                       <location>/util/error.jsp</location>
                       </error-page>
                      
                       <security-constraint>
                       <web-resource-collection>
                       <web-resource-name>userPages</web-resource-name>
                       <description>Pages visible only to known users</description>
                       <url-pattern>/user/*</url-pattern>
                       <http-method>GET</http-method>
                       <http-method>POST</http-method>
                       </web-resource-collection>
                       <auth-constraint>
                       <role-name>User</role-name>
                       </auth-constraint>
                       </security-constraint>
                      
                       <security-constraint>
                       <web-resource-collection>
                       <web-resource-name>adminPages</web-resource-name>
                       <description>Pages visible only to administrators</description>
                       <url-pattern>/admin/*</url-pattern>
                       <http-method>GET</http-method>
                       <http-method>POST</http-method>
                       </web-resource-collection>
                       <auth-constraint>
                       <role-name>Administrator</role-name>
                       </auth-constraint>
                       </security-constraint>
                      
                       <login-config>
                       <auth-method>FORM</auth-method>
                       <realm-name>Default</realm-name>
                       <form-login-config>
                       <form-login-page>/util/login.jsp</form-login-page>
                       <form-error-page>/util/login-error.jsp</form-error-page>
                       </form-login-config>
                       </login-config>
                      
                       <security-role>
                       <role-name>User</role-name>
                       </security-role>
                      
                       <security-role>
                       <role-name>Administrator</role-name>
                       </security-role>
                      
                      </web-app>
                      


                      and finally my jboss-web.xml:
                      <?xml version="1.0" encoding="UTF-8"?>
                      
                      <jboss>
                       <security-domain>java:/jaas/OhComeOn</security-domain>
                      </jboss>
                      


                      • 8. Re: Unable to get j_security_check to work...!
                        Luke Taylor Novice

                        > Is that really the only way to get JBoss to validate a
                        > username/password and load the roles associated with a user?

                        No it's not... ignore the stuff about using the database - stick with the users and roles files until you get that working.


                        > For a start it assumes that the table format is known; with CMP that's quite a stretch!

                        It has nothing to do with CMP - the security information is stored in separate tables and has nothing to do with entity beans.

                        >Surely you should be able to instruct the server whether a username/password is valid and specify the roles
                        > programmatically?

                        The security information - user names, passwords and roles has to be stored somewhere, unless you're using one of the login modules which lets you log in as anything. I would recommend you start with the UsersRolesLoginModule and use the properties files.

                        > Obviously EJB2.0 goes someway to fixing this but it still
                        > doesn't permit you to store the passwords encrypted and
                        > it requires that your username provides the foreign key.

                        See above. It has nothing to do with EJB. The supplied login modules have support for hashed passwords, so you don't have to store them in plain text.

                        > Any ideas how to go about writing your own login module?
                        Yes, but get a grip of how the existing ones work first before you try anything too drastic :).

                        I'd recommend you buy the pay-for e-docs or the JBoss 2.x book which is pretty comprehensive and will clear up a lot of this stuff for you.

                        Luke.


                        • 9. Re: Unable to get j_security_check to work...!
                          Luke Taylor Novice

                          > Aargh - It's still not working!

                          Unless you expand on this and give us some server output, stack traces or whatever, you won't get a solution.

                          In what way isn't it working, and what is in the server log when you attempt to do something that "isn't working".

                          Luke.

                          • 10. Re: Unable to get j_security_check to work...!
                            Kevin Seal Newbie

                            Sorry - the whole Entity security thing was a side issue.

                            I have restricted access to two directories (as described in web.xml above) and when I attempt to access either of these (eg, localhost:8080/admin) it sends me to the login page. However, regardless of the username/password entered I am allowed to view the pages in all directories once "authenticated".

                            I've got nothing in server.log relating to JAAS. No exceptions are being thrown during startup or whilst trying to access the web application. The server seems to think that everything's peachy.
                            This makes me think that it's probably due to web.xml not correctly specifying how to protect the pages (eg, "check /admin/* for Administrator role but don't require it).
                            I would still expect to get some sort of exception thrown by JBoss when users.properties and roles.properties are not present, though.

                            It's a real mystery.

                            • 11. Re: Unable to get j_security_check to work...!
                              Kevin Seal Newbie

                              The only thing I can find that looks like it might be related is NullSecurityManager which would give the behaviour I'm seeing. Indeed, the log indicates that it's being used by Catalina.

                              [11:49:27,450,EmbeddedCatalinaServiceSX] Binding security/securityMgr to NullSecurityManager
                              

                              I can't find any reference to it in any configuration files, though, and can't find a suitable replacement in the API docs in any case.

                              • 12. Re: Unable to get j_security_check to work...!
                                Luke Taylor Novice

                                > The only thing I can find that looks like it might be related is NullSecurityManager which would give the behaviour I'm seeing.

                                If in doubt give *more* information - give the whole log output for the deployment of your web app. Otherwise trying to work out what's happening is like pulling teeth.

                                > Indeed, the log indicates that it's being used by Catalina.


                                >[11:49:27,450,EmbeddedCatalinaServiceSX] Binding
                                > security/securityMgr to NullSecurityManager

                                Yes, this will give the behaviour you're seeing. It most likely indicates that either you don't have a security-domain declaration in your jboss-web.xml file, or that you don't have the file at all (or it's in the wrong place). Where are you putting the jboss-web.xml file?

                                Luke.

                                • 13. Re: Unable to get j_security_check to work...!
                                  Kevin Seal Newbie

                                  Yeah, you're right, the problem is jboss-web.xml I'd made the mistake of having as the document element rather than <jboss-web> (amongst all the other mistakes I'd made during this thread). It's working fine now!
                                  Many thanks for all your help and perseverance.

                                  If I have a User Entity Bean which has fields for username and password, there seems little point in duplicating this information in properties files or exposing the database tables. Is it straightforward to write a login module to provide programmatic access to these data?

                                  Thanks once again.