Security Questions
drakmir Jun 27, 2002 3:47 PMI have some security questions -
I posted these to the mailing list, I haven't received an answer yet, so I figured I'd try the forums as well.
Q1:
If I log into a web application, with FORM based authentication, and then go to another context, should I have to log in again?
I'd like to be able to deploy a bunch of WARS, and have any of them be able to authenticate for that session. Then have all the applications logged in. Does this require anything special to be setup in web.xml?
(Servlet Specification Section 11.6 seems to indicate that the authentication is relevant to a container, not an application)
Thanks for anyone's help in this regards,
Q2:
Okay, I am trying to write a very small application that tests logging into a web page using form based security and the database class.
The security context seems to work, as I get a login page. However, no matter what I enter, I am allowed in.
Here are the relevant pieces of code, as far as I can tell:
--------------------------------------------------------------------------------------------
My WAR file's structure looks like this:
\index.jsp
\login.jsp
\loginerror.jsp
\WEB-INF\web.xml
--------------------------------------------------------------------------------------------
My WEB.XML contains:
<security-constraint>
<web-resource-collection>
<web-resource-name>DG</web-resource-name>
Security Constraint
<url-pattern>/index.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DG</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>DG</realm-name> <--- Why does this have to be here? According to the
<form-login-config> spec, realm-name is only for BASIC authentication,
<form-login-page>login.jsp</form-login-page> but jboss throws up without it.
<form-error-page>loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>DG</role-name>
</security-role>
-------------------------------------------------------------------------------------------
My login-config.xml reads:
<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.
The outline of the application-policy is:
<application-policy name="security-domain-name">
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>
<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</application-policy>
$Revision: 1.1.2.1 $
-->
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name = "client-login">
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</application-policy>
<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">
<login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "sm.objectnam">jboss.mq:service=StateManager</module-option>
</login-module>
</application-policy>
<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
</login-module>
</application-policy>
<application-policy name = "FirebirdDBRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sysdba</module-option>
<module-option name = "userName">sysdba</module-option>
<module-option name = "password">masterkey</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>
</application-policy>
<application-policy name = "JmsXARealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
</login-module>
</application-policy>
<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<!--login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" /-->
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:/DefaultDS</module-option>
<module-option name="principalsQuery">select user_password from users where user_email = ?</module-option>
<module-option name="rolesQuery">
SELECT ROLE_NAME, 'Roles'
FROM
ROLES r,
USERS u,
USER_ROLES ur,
DERIVED_ROLES_ROLES drr
WHERE
u.user_email = ? AND
u.user_id = ur.user_id AND
ur.role_id = drr.role_id_source AND
r.role_id = drr.role_id_destination
</module-option>
</login-module>
</application-policy>
-------------------------------------------------------------------------------------------------------------------
My server.log shows this when I tried logging in using the following info:
username = blah
password = thisshouldntwork
2002-06-26 10:03:59,210 INFO [org.jboss.jetty.Jetty] JSP: init
2002-06-26 10:04:04,717 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] JBossUserPrincipal: blah
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] created JBossUserRealm::JBossUserPrincipal: blah
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticating: Name:blah Password:****
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticated: blah
2002-06-26 10:04:04,727 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] setting JAAS subjectAttributeName(j_subject) : null
2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticating: Name:blah Password:****
2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] authenticated: blah
2002-06-26 10:04:04,747 DEBUG [org.jboss.jetty.security.JBossUserRealm#dg] JBossUserPrincipal: blah is in Role: DG
2002-06-26 10:04:05,879 INFO [org.jboss.jetty.Jetty] JSP: init
The user blah doesn't exist in the database.
--------------------------------------------------------------------------------------------------------------------
Any other info I'll be happy to provide. I'm very confused as to why this isn't working, and have spent about 2 days on it so far.
Thanks!
Alan