1 Reply Latest reply on Aug 12, 2002 10:03 AM by Mindy Pereira

    User not in required role...

    L.G. Newbie

      [ENV: jboss-3.0 , RedHat 7.3, Oracle 7.3]
      I'm trying to implement JAAS security for my application and I got 3 problems:

      Problem 1: ================================

      Error in browser: HTTP ERROR: 403 User not in required role
      Error in console:
      2002-07-27 01:15:36,818 INFO [org.jboss.jetty.Jetty] JSP: init
      2002-07-27 01:15:49,996 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv
      2002-07-27 01:15:50,007 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] created JBossUserRealm::JBossUserPrincipal: fund_adv
      2002-07-27 01:15:50,009 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
      2002-07-27 01:15:50,365 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
      2002-07-27 01:15:50,368 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] setting JAAS subjectAttributeName(j_subject) : Subject:
      Principal: fund_adv
      Private Credential: javax.resource.spi.security.PasswordCredential@40000000

      2002-07-27 01:15:50,391 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
      2002-07-27 01:15:50,392 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
      2002-07-27 01:15:50,395 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv is NOT in Role: Java
      2002-07-27 01:15:50,398 WARN [org.jboss.jetty.Jetty] WARNING: AUTH FAILURE: role for fund_adv
      2002-07-27 01:15:50,662 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv
      2002-07-27 01:15:50,664 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
      2002-07-27 01:15:50,665 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
      2002-07-27 01:15:50,667 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] setting JAAS subjectAttributeName(j_subject) : Subject:
      Principal: fund_adv
      Private Credential: javax.resource.spi.security.PasswordCredential@40000000

      2002-07-27 01:15:50,684 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticating: Name:fund_adv Password:****
      2002-07-27 01:15:50,684 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] authenticated: fund_adv
      2002-07-27 01:15:50,685 DEBUG [org.jboss.jetty.security.JBossUserRealm#Model] JBossUserPrincipal: fund_adv is NOT in Role: Java
      2002-07-27 01:15:50,687 WARN [org.jboss.jetty.Jetty] WARNING: AUTH FAILURE: role for fund_adv
      ==================================================
      I think user in role Java - here is my web.xml:
      <!-- ### Security -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      Declarative security tests
      <url-pattern>/jsp/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Java</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Model</realm-name>
      <form-login-config>
      <form-login-page>Login.jsp</form-login-page>
      <form-error-page>LoginError.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      no description
      <role-name>Java</role-name>
      </security-role>

      and table Roles:
      ---------------------------------------
      PrincipalID | Role | RoleGroup |
      ---------------------------------------
      fund_adv | Java | Roles |
      ---------------------------------------
      login-config.xml:
      <application-policy name = "OracleDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
      <module-option name = "principal">fund_adv</module-option>
      <module-option name = "userName">fund_adv</module-option>
      <module-option name = "password">********</module-option>
      <module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
      <module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleTST</module-option>
      </login-module>

      </application-policy>

      Problem 2: =================================================
      in my web.xml (see above) I defined
      <form-error-page>LoginError.jsp</form-error-page>
      But when I get AUTH FAILURE error it displayed in plain page, not LoginError.jsp
      Why?
      Problem 3: =================================================
      When I request http://localhost:7777/model browser open
      http://localhost:7777/model/jsp/index.jsp because this is in welcome-file-list.
      Problem is this page is supposed to be protected
      and I supposed to see Login.jsp FIRST.
      But when I request http://localhost:7777/model/index.jsp browser open Login.jsp.
      Why is this?
      =========================================================
      TIA

        • 1. Re: User not in required role...
          Mindy Pereira Newbie

          I had a similar problem, where Tomcat would show me an error 403 page for incorrect roles instead of my error page. You can override this by specifying error pages for an error code in your web.xml file like so:

          <web-app>
          <error-page>
          <error-code>403</error-code>
          /ErrorPage.jsp
          </error-page>
          .
          .
          .
          </web-app>