0 Replies Latest reply on Apr 12, 2002 9:05 AM by Nigel White

    newbie. Just wants to use form based login.

    Nigel White Newbie

      How do I do it?

      This all seems over-complicated with all kinds of weirdness.

      I have

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>SecurePages</web-resource-name>
      Security constraint for resources in the secure directory
      <url-pattern>/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
      only let the system manager login
      <role-name>manager</role-name>
      </auth-constraint>
      <user-data-constraint>
      SSL not required
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>
      FORM
      </auth-method>
      <realm-name>
      other
      </realm-name>
      <form-login-config>
      <form-login-page>
      /login.html
      </form-login-page>
      <form-error-page>
      /loginerror.html
      </form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      The Secure ROLE
      <role-name>manager</role-name>
      </security-role>

      and in auth.conf (which is a TOTAL MYSTERY to me, can anyone help?):

      // The default server login module
      other {
      // A simple server login module, which can be used when the number
      // of users is relatively small. It uses two properties files:
      // users.properties, which holds users (key) and their password (value).
      // roles.properties, which holds users (key) and a comma-separated list of their roles (value).
      // The unauthenticatedIdentity property defines the name of the principal
      // that will be used when a null username and password are presented as is
      // the case for an unuathenticated web client or MDB. If you want to
      // allow such users to be authenticated add the property, e.g.,
      // unauthenticatedIdentity="nobody"
      org.jboss.security.auth.spi.UsersRolesLoginModule required
      ;


      When I access my application, it flips to the login form, but when I submit blank user name and password 3 times, it goes into the welcome page!

      Also, how do I explicitly log out?

      What is all this about? Where can I get some simple help on all this. It's all just gone too weird for me, a bog standard VMS-raised bit-twiddler to understand!