1 Reply Latest reply on Aug 12, 2002 10:03 AM by mindyp

User not in required role...

l.g. Jul 26, 2002 5:44 PM

[ENV: jboss-3.0 , RedHat 7.3, Oracle 7.3]
I'm trying to implement JAAS security for my application and I got 3 problems:

Problem 1: ================================

Error in browser: HTTP ERROR: 403 User not in required role
Error in console:
2002-07-27 01:15:36,818 INFO [org.jboss.jetty.Jetty] JSP: init
2002-07-27 01:15:49,996 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv
2002-07-27 01:15:50,007 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] created JBossUserRealm::JBossUserPrincipal: fund_adv
2002-07-27 01:15:50,009 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,365 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,368 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] setting JAAS subjectAttributeName(j_subject) : Subject:
Principal: fund_adv
Private Credential: javax.resource.spi.security.PasswordCredential@40000000

2002-07-27 01:15:50,391 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,392 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,395 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv is NOT in Role: Java
2002-07-27 01:15:50,398 WARN [org.jboss.jetty.Jetty] WARNING: AUTH FAILURE: role for fund_adv
2002-07-27 01:15:50,662 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv
2002-07-27 01:15:50,664 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,665 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,667 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] setting JAAS subjectAttributeName(j_subject) : Subject:
Principal: fund_adv
Private Credential: javax.resource.spi.security.PasswordCredential@40000000

2002-07-27 01:15:50,684 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,684 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,685 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv is NOT in Role: Java
2002-07-27 01:15:50,687 WARN [org.jboss.jetty.Jetty] WARNING: AUTH FAILURE: role for fund_adv
==================================================
I think user in role Java - here is my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Declarative security tests
<url-pattern>/jsp/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Java</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Model</realm-name>
<form-login-config>
<form-login-page>Login.jsp</form-login-page>
<form-error-page>LoginError.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
no description
<role-name>Java</role-name>
</security-role>

and table Roles:
---------------------------------------
PrincipalID | Role | RoleGroup |
---------------------------------------
fund_adv | Java | Roles |
---------------------------------------
login-config.xml:
<application-policy name = "OracleDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
<module-option name = "principal">fund_adv</module-option>
<module-option name = "userName">fund_adv</module-option>
<module-option name = "password">********</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleTST</module-option>
</login-module>

</application-policy>

Problem 2: =================================================
in my web.xml (see above) I defined
<form-error-page>LoginError.jsp</form-error-page>
But when I get AUTH FAILURE error it displayed in plain page, not LoginError.jsp
Why?
Problem 3: =================================================
When I request http://localhost:7777/model browser open
http://localhost:7777/model/jsp/index.jsp because this is in welcome-file-list.
Problem is this page is supposed to be protected
and I supposed to see Login.jsp FIRST.
But when I request http://localhost:7777/model/index.jsp browser open Login.jsp.
Why is this?
=========================================================
TIA

1. Re: User not in required role...

mindyp Aug 12, 2002 10:03 AM (in response to l.g.)

I had a similar problem, where Tomcat would show me an error 403 page for incorrect roles instead of my error page. You can override this by specifying error pages for an error code in your web.xml file like so:

<web-app>
<error-page>
<error-code>403</error-code>
/ErrorPage.jsp
</error-page>
.
.
.
</web-app>
Actions