This is works for jboss-3.1.0alpha, I think it should work for jboss-3.0.0.
Don't replace the files, just copy and paste relevent info
Sorry, forgot to attach file.
LG, thanks much for your help,
actually your example didn't work for me in jboss 3.0.0 (maybe they fixed something between 3.0.0 and 3.1.0, I will keep it in mind and will try it when I'm ready to migrate to 3.1.0).
But I did get my code to work.
I don't know why, but it only works for me if I include two (!!!) security realm in login-config.xml with different names, one that is DatabaseServerLoginModule, the other one is ConfiguredIdentityLoginModule pointing to the same datasource as the first one. And in mysql-service.xml the SecurityDomainJndiName points to the ConfiguredIdentityLoginModule realm name.
It works, I don't know why, may be somebody can explain to me why it works only like this but not the other way. For those who is courious I'm attaching files with my config example.
Can someone tell me how i can use security with a java client. (not web) I have a client which uses ejb's. I want to use security. Does anyone has a example for jboss 3.0.1
I think that DataBaseServerLoginModule should use for logon AUTH from login.jsp 's FORM .
but ConfiguredIdentiryLoginModule is gateway or tools to login into the Oracle DataBase by
Both will work well together.
you can test that if you can login system when you disable the "ConfiguredIdentiryLoginModule".
I think you can't , because AT FIRST the loginner's userId and password is got from oracle Database through the "ConfiguredIdentiryLoginModule".
Sorry, I can't be sure I'm right,just......
Hmmm... I'm getting CRC errors when I try to extract the files from your attached zip file (myexample.zip). Would you consider re-zipping it and posting again?
Thanks in advance!
I just checked the original zip file -- works fine (i tried it extracting with 'jar xvf' as well), try redownloading it.
Any way, here is the same thing in gzipped tar: use tar zxvf to extract it.
To go back to the original conceptual question:
DatabaseServerLoginModule is used by your application to decide if you should be able to use the app and which roles you have.
ConfiguredIdentityLoginModule is used by the datasource you configured to supply the username and password for the database connections.
There is little difference in functionality between using a ConfiguredIdentityLoginModule or directly configuring the username and password in the datasource configuration: both ways always use the same user/pw combination. The ConfiguredIdentityLoginModule hides the password in a slightly more secure place. The main possible advantage of using the ConfiguredIdentityLoginModule is that it provides an easy way to switch to a different login module for your datasource should that become appropriate. For instance, you can use the CallerIdentityLoginModule so users are logged in to the database as who they logged into the app as.
When using the DatabaseServerLoginModule, do you have to implement a CallbackHandler and so on in a login servlet, to login or the DatabaseServerLoginModule checks credentials for you? and for a login.jsp, you just need to configure the xml files?
I have had many problems with the security configuration using the DataBaseServerLoginModule.
Finally, with the help of several mails in this list, I have succeded with the configuration in Jboss 3.0.6.
I thanks to people contributing to this topic: I have made my configuration following your indications. I have configurated only a DataBaseServerLoginModule; the ConfiguredIdentiyLoginModule was not necessary.
These are the important points of my security login configuration for Jboss 3.0.6 using a Postgresql datasource:
1- The datasource is configurated in the file postgres-service.xml of the directory /usr/local/jboss-3.0.6/server/default/deploy:
<config-property name="ConnectionURL" type="java.lang.String">jdbc:postgresql://joropo.cincosoft.com.co:5432/prueba</config-property>
<config-property name="DriverClass" type="java.lang.String">org.postgresql.Driver</config-property>
<!--set these only if you want only default logins, not through JAAS -->
<config-property name="UserName" type="java.lang.String">postgres</config-property>
<config-property name="Password" type="java.lang.String">postgres</config-property>
2- In the Postgresql database, I created and filled the tables:
CREATE TABLE Principals (PrincipalID VARCHAR(64) PRIMARY KEY, Password VARCHAR(64));
CREATE TABLE Roles (PrincipalID VARCHAR(64),Role VARCHAR(64), RoleGroup VARCHAR(64));
3- The DataBaseServerLoginModule is configurated in file login-config.xml of the directory /usr/local/jboss-3.0.6/server/default/conf :
<application-policy name = "example">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/PostgresDS</module-option>
<module-option name = "principal">postgres</module-option>
<module-option name = "principalsQuery">select Password from principals where PrincipalID=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from roles where PrincipalID=?</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=PostgresDS</module-option>
<module-option name = "unauthenticatedIdentity">scott</module-option> -->
4 - The jboss-web.xml use "example" security domain :
<?xml version="1.0" encoding="UTF-8"?>
I hope this helps
Maria Consuelo Franky
You can think of the entities who use your app's services as one group that is authenticated through their user IDs and role IDs; it is that group whose auth needs are served by the DatabaseServerLoginModule, and therefore belong to an authentication domain "A". At the same time, the DatabaseServerLoginModule itself needs to authenticate itself to the DBMS by means of a (user ID, password) pair; it belongs to an authentication domain "B", and its auth needs are served by a ConfiguredIdentityLoginModule. Both A and B need to authenticate themselves to that which they access (the app for A, the DBMS for B), hence the need for both to be present.
The SecurityDomainJndiName in mysql-service.xml refers to the ConfiguredIdentityLoginModule realm, because the MySQL service belongs to domain B, not A. Similarly, the security domain specified in the app's jboss-web.xml refers to
A, not B, because entities accessing the app belong to domain A.
It seems to me that one could have both A and B's auth needs served by a single DatabaseServerLoginModule, but so far, I haven't been able to make such a config work.