3 Replies Latest reply on Apr 18, 2002 2:50 AM by Jim Barber

    FORM based login half works with JBoss-2.4.4 and Embedded To

    Jim Barber Newbie

      We have a couple of webapps that use FORM based authentication, running on a Tomcat server.
      We are about to write a new application and wish to use EJBs.
      Because of this we want to migrate to using JBoss with an embedded Catalina server.

      I am working on migrating the existing WAR files across to JBoss.
      I downloaded the JBoss-2.4.4_Tomcat-4.0.1 bundle.
      I have managed to get the applications to authenticate correctly against an Oracle database.
      i.e. Invalid users are denied access and valid users are allowed in.
      A valid session is assigned and the JSESSIONID cookie is created.

      Using the HttpServletRequest object within a servlet, calls to the getAuthType() and getRemoteUser() methods return null.
      When running on a standalone Tomcat server the method calls return FORM, and the username logged in respectively.

      I am not sure if I have missed a step during configuration, or if there is a bug.

      I have also tried replacing the embedded Tomcat-4.0.1 with Tomcat-4.0.3 but the result is the same.

      In order to get as far as I have, I have made the following changes to the configuration files and war files.

      1. $JBOSS_DIST/conf/catalina/auth.conf

      I have added the following entry:

      webapp-info {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      principalsQuery="select user_pass from tomcat_users where user_name=?"
      rolesQuery="select role_name,'Roles' from tomcat_user_roles where user_name=?"
      // hashAlgorithm="MD5"

      2. $JBOSS_DIST/conf/catalina/jboss.jcml

      I have the following entries (I've changed hostname, database name, username, and password fields):


      <!-- Oracle8i driver. -->


      3. $JBOSS_DIST/conf/catalina/standardjaws.xml

      I have commented out the datasource and added our Oracle one as follows:

      <!-- java:/DefaultDS -->
      <!-- <type-mapping>Hypersonic SQL</type-mapping> -->
      <!-- false -->


      4. $JBOSS_DIST/conf/catalina/standardjboss.xml

      I have added the following entry:


      5. I copied the Oracle JDBC class file into the $JBOSS_DIST/lib/ext/ directory.

      6. To each of my WAR files, I have added a jboss-web.xml file to the WEB-INF/ directory.

      The contents of the jboss-web.xml file follows:

      <?xml version="1.0" encoding="UTF-8"?>


      Any help would be appreciated.

      Jim Barber <jim.barber-st@db.com>

        • 1. Re: FORM based login half works with JBoss-2.4.4 and Embedde
          Nikunj Mehta Newbie

          When I configured the JBoss server, as you mention, JBoss brings up the login form, but does not actually authenticate. Is there any additional configuration in terms of the security domain for the EmbeddedCatalina?

          I have noted that JBoss prints the following DEBUG message
          [DEBUG,EmbeddedCatalinaServiceSX] Binding security/securityMgr to NullSecurityManager

          Does this mean that behind the scenes, JBoss is not doing any authentication?

          • 2. Re: FORM based login half works with JBoss-2.4.4 and Embedde
            Jim Barber Newbie


            I also had this same problem until I installed the jboss-web.xml file in the WEB-INF directory of my war file.
            After that, the Binding to NullSecurityManager message was replaced by:

            [DEBUG,EmbeddedCatalinaServiceSX] Linking security/securityMgr to JNDI name: java:/jaas/webapp-info

            I hope that helps.

            • 3. Re: FORM based login half works with JBoss-2.4.4 and Embedde
              Jim Barber Newbie

              I have the solution to my problem.
              Hopefully this helps others.

              I found references to other people having similar problems as me.
              It would appear that the HttpServletRequest.getRemoteUser() and HttpServletRequest.getAuthType() methods will return null in a non-secured area of a web-app, and valid values within secured areas.

              Within my web.xml file I had the <security-role-ref> tag on my servlets so they should be secure.
              I also had security constraints on my HTML, JSPs, etc using <url-pattern>/html/*</url-pattern>.

              What I missed, was to add <url-pattern>/servlet/*</url-pattern> to my security-constraints.
              Even though the servlets had a <security-role-ref> tag, they still needed their URLs to be secured.
              Once this was was done, the HttpServletRequest method calls no longer return null.