6 Replies Latest reply on Jul 5, 2002 2:24 PM by agaona

Security Questions

drakmir Jun 27, 2002 3:47 PM

I have some security questions -

I posted these to the mailing list, I haven't received an answer yet, so I figured I'd try the forums as well.

Q1:
If I log into a web application, with FORM based authentication, and then go to another context, should I have to log in again?

I'd like to be able to deploy a bunch of WARS, and have any of them be able to authenticate for that session. Then have all the applications logged in. Does this require anything special to be setup in web.xml?

(Servlet Specification Section 11.6 seems to indicate that the authentication is relevant to a container, not an application)

Thanks for anyone's help in this regards,

Q2:
Okay, I am trying to write a very small application that tests logging into a web page using form based security and the database class.

The security context seems to work, as I get a login page. However, no matter what I enter, I am allowed in.

Here are the relevant pieces of code, as far as I can tell:

--------------------------------------------------------------------------------------------

My WAR file's structure looks like this:

\index.jsp
\login.jsp
\loginerror.jsp
\WEB-INF\web.xml

--------------------------------------------------------------------------------------------
My WEB.XML contains:

<security-constraint>
<web-resource-collection>
<web-resource-name>DG</web-resource-name>
Security Constraint
<url-pattern>/index.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>DG</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>DG</realm-name> <--- Why does this have to be here? According to the
<form-login-config> spec, realm-name is only for BASIC authentication,
<form-login-page>login.jsp</form-login-page> but jboss throws up without it.
<form-error-page>loginerror.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>DG</role-name>
</security-role>

-------------------------------------------------------------------------------------------

My login-config.xml reads:




<application-policy name = "client-login">

<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>

</application-policy>


<application-policy name = "jbossmq">

<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectnam">jboss.mq:service=StateManager</module-option>
</login-module>

</application-policy>


<application-policy name = "HsqlDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
</login-module>

</application-policy>

<application-policy name = "FirebirdDBRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sysdba</module-option>
<module-option name = "userName">sysdba</module-option>
<module-option name = "password">masterkey</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>

</application-policy>

<application-policy name = "JmsXARealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
</login-module>

</application-policy>


<application-policy name = "other">



<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/DefaultDS</module-option>
<module-option name="principalsQuery">select user_password from users where user_email = ?</module-option>
<module-option name="rolesQuery">
SELECT ROLE_NAME, 'Roles'
FROM
ROLES r,
USERS u,
USER_ROLES ur,
DERIVED_ROLES_ROLES drr
WHERE
u.user_email = ? AND
u.user_id = ur.user_id AND
ur.role_id = drr.role_id_source AND
r.role_id = drr.role_id_destination
</module-option>
</login-module>

</application-policy>

-------------------------------------------------------------------------------------------------------------------

My server.log shows this when I tried logging in using the following info:
username = blah
password = thisshouldntwork

2002-06-26 10:03:59,210 INFO [org.jboss.jetty.Jetty] JSP: init
2002-06-26 10:04:04,717 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] JBossUserPrincipal: blah
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] created JBossUserRealm::JBossUserPrincipal: blah
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticating: Name:blah Password:****
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticated: blah
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] setting JAAS subjectAttributeName(j_subject) : null
2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticating: Name:blah Password:****
2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticated: blah
2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] JBossUserPrincipal: blah is in Role: DG
2002-06-26 10:04:05,879 INFO [org.jboss.jetty.Jetty] JSP: init

The user blah doesn't exist in the database.

--------------------------------------------------------------------------------------------------------------------

Any other info I'll be happy to provide. I'm very confused as to why this isn't working, and have spent about 2 days on it so far.

Thanks!

Alan

1. Re: Security Questions

drakmir Jun 28, 2002 1:03 PM (in response to drakmir)

Is anyone out there able to help me with what is wrong with my configuration?

I've tried reading the getting started manual, I have the JBoss 2.4.5 hard print manual, and I'm still very lost as to why this isn't working.

Thanks to anyone that can help,

Al
Actions
2. Re: Security Questions

rgordon Jun 30, 2002 1:20 PM (in response to drakmir)

Hi Alan,

Did you ever sort this out, I am having exactly the same problem and from the documentation available (free and paid) came up with prety much the same configuration.

Has anybody got this working?

Richard
Actions
3. Re: Security Questions

dgood Jul 1, 2002 6:39 AM (in response to drakmir)

Alan,

for an answer to Q1, see:
http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ can't help with Q2, sorry

David
Actions
4. Re: Security Questions

rgordon Jul 1, 2002 10:12 AM (in response to drakmir)

Alan,

Got Q2 working by adding the following "jboss-web.xml" file to WEB-INF directory.

<jboss-web>
<security-domain>java:/jaas/testDomain</security-domain>
</jboss-web>

and adding the following to the login-conf.xml file

<application-policy name = "testDomain">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/OracleDS</module-option>
<module-option name = "principalsQuery">select passwd from jboss_users where userid = ?</module-option>
<module-option name = "rolesQuery">select role, rolegroup from jboss_roles where userid = ?</module-option>
</login-module>

</application-policy>

Slight problem with roles now but leave that for another day!

Hope this helps

Richard
Actions
5. Re: Security Questions

drakmir Jul 1, 2002 12:29 PM (in response to drakmir)

Very good. I'll check on that with my applicaitons and see if I can get Q2 working here! :) Thanks alot!

As for Q1, that would work if I was using Tomcat. I'm using the normal distribution with Jetty however...

:(

Maybe as a side effect of Q2, it will start working. We'll see! ;)

Alan
Actions
6. Re: Security Questions

agaona Jul 5, 2002 2:24 PM (in response to drakmir)

I did SUCCESFULLY operate security using your hint. I made some changes to the suggested queries, since I prefer a many-to-many relationship between users and roles instead of the suggested one-to-many. I had a little problem with the roles but if was no difficult to solve it having a look into the source code (http://www.thecortex.net/clover/eg/jboss/report/org/jboss/security/auth/spi/DatabaseServerLoginModule.html). To avoid bothering you with the details I changed the second query to 'select role, null from jboss_roles where userid = ?'. This got the security working ON CATALINA. Hope Drakmir has the same results under Yetti.

Regards
Alberto
Actions

Go to original post