User not in required role...
l.g. Jul 26, 2002 5:44 PM[ENV: jboss-3.0 , RedHat 7.3, Oracle 7.3]
I'm trying to implement JAAS security for my application and I got 3 problems:
Problem 1: ================================
Error in browser: HTTP ERROR: 403 User not in required role
Error in console:
2002-07-27 01:15:36,818 INFO [org.jboss.jetty.Jetty] JSP: init
2002-07-27 01:15:49,996 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv
2002-07-27 01:15:50,007 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] created JBossUserRealm::JBossUserPrincipal: fund_adv
2002-07-27 01:15:50,009 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,365 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,368 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] setting JAAS subjectAttributeName(j_subject) : Subject:
Principal: fund_adv
Private Credential: javax.resource.spi.security.PasswordCredential@40000000
2002-07-27 01:15:50,391 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,392 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,395 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv is NOT in Role: Java
2002-07-27 01:15:50,398 WARN [org.jboss.jetty.Jetty] WARNING: AUTH FAILURE: role for fund_adv
2002-07-27 01:15:50,662 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv
2002-07-27 01:15:50,664 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,665 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,667 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] setting JAAS subjectAttributeName(j_subject) : Subject:
Principal: fund_adv
Private Credential: javax.resource.spi.security.PasswordCredential@40000000
2002-07-27 01:15:50,684 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
2002-07-27 01:15:50,684 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
2002-07-27 01:15:50,685 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv is NOT in Role: Java
2002-07-27 01:15:50,687 WARN [org.jboss.jetty.Jetty] WARNING: AUTH FAILURE: role for fund_adv
==================================================
I think user in role Java - here is my web.xml:
<!-- ### Security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Declarative security tests
<url-pattern>/jsp/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Java</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Model</realm-name>
<form-login-config>
<form-login-page>Login.jsp</form-login-page>
<form-error-page>LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
no description
<role-name>Java</role-name>
</security-role>
and table Roles:
---------------------------------------
PrincipalID | Role | RoleGroup |
---------------------------------------
fund_adv | Java | Roles |
---------------------------------------
login-config.xml:
<application-policy name = "OracleDbRealm">
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
<module-option name = "principal">fund_adv</module-option>
<module-option name = "userName">fund_adv</module-option>
<module-option name = "password">********</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleTST</module-option>
</login-module>
</application-policy>
Problem 2: =================================================
in my web.xml (see above) I defined
<form-error-page>LoginError.jsp</form-error-page>
But when I get AUTH FAILURE error it displayed in plain page, not LoginError.jsp
Why?
Problem 3: =================================================
When I request http://localhost:7777/model browser open
http://localhost:7777/model/jsp/index.jsp because this is in welcome-file-list.
Problem is this page is supposed to be protected
and I supposed to see Login.jsp FIRST.
But when I request http://localhost:7777/model/index.jsp browser open Login.jsp.
Why is this?
=========================================================
TIA