11 Replies Latest reply on Apr 8, 2003 5:35 PM by alan l batongbacal

    DataBaseServerLoginModule & ConfiguredIdentiryLoginModule

    Dmitry Newbie

      It seems that there are two different things in jboss3 that can go to login-config.xml:
      DataBaseServerLoginModule and ConfiguredIdentiryLoginModule.

      Halph of the examples on this forum refer to the one, the other halp referes to the other. I've also seen people stating that you must have both of these things in your login-config.xml file to make authentication work.

      Can someone explain how these two relate to each other and how to use them to configyre the authentication. The sugestions like "read the manual first" will not be considered. The reason for this post is that after all the suffering of reading the manual and going through different messages on this forum still can't get it to work.

      May be it's too much to ask people to provide step by step direction on how to set up authentication in jboss3.0.0, in this case it should not be much of a problem to post following files here:


      and I can take it from there.

      Thanks a lot to those who's willing to help.

        • 1. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
          L.G. Newbie


          "L.G." wrote:
          This is works for jboss-3.1.0alpha, I think it should work for jboss-3.0.0.
          Don't replace the files, just copy and paste relevent info

          • 3. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
            Dmitry Newbie

            LG, thanks much for your help,

            actually your example didn't work for me in jboss 3.0.0 (maybe they fixed something between 3.0.0 and 3.1.0, I will keep it in mind and will try it when I'm ready to migrate to 3.1.0).

            But I did get my code to work.

            I don't know why, but it only works for me if I include two (!!!) security realm in login-config.xml with different names, one that is DatabaseServerLoginModule, the other one is ConfiguredIdentityLoginModule pointing to the same datasource as the first one. And in mysql-service.xml the SecurityDomainJndiName points to the ConfiguredIdentityLoginModule realm name.
            It works, I don't know why, may be somebody can explain to me why it works only like this but not the other way. For those who is courious I'm attaching files with my config example.

            • 4. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
              Henk Laracker Newbie


              Can someone tell me how i can use security with a java client. (not web) I have a client which uses ejb's. I want to use security. Does anyone has a example for jboss 3.0.1


              • 5. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
                dudoes Newbie


                I think that DataBaseServerLoginModule should use for logon AUTH from login.jsp 's FORM .

                but ConfiguredIdentiryLoginModule is gateway or tools to login into the Oracle DataBase by

                Both will work well together.

                you can test that if you can login system when you disable the "ConfiguredIdentiryLoginModule".

                I think you can't , because AT FIRST the loginner's userId and password is got from oracle Database through the "ConfiguredIdentiryLoginModule".

                Sorry, I can't be sure I'm right,just......

                • 6. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
                  Ralph Roland Newbie

                  Hmmm... I'm getting CRC errors when I try to extract the files from your attached zip file (myexample.zip). Would you consider re-zipping it and posting again?
                  Thanks in advance!

                  • 7. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
                    Dmitry Newbie

                    I just checked the original zip file -- works fine (i tried it extracting with 'jar xvf' as well), try redownloading it.
                    Any way, here is the same thing in gzipped tar: use tar zxvf to extract it.

                    • 8. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
                      David Jencks Master

                      To go back to the original conceptual question:

                      DatabaseServerLoginModule is used by your application to decide if you should be able to use the app and which roles you have.

                      ConfiguredIdentityLoginModule is used by the datasource you configured to supply the username and password for the database connections.

                      There is little difference in functionality between using a ConfiguredIdentityLoginModule or directly configuring the username and password in the datasource configuration: both ways always use the same user/pw combination. The ConfiguredIdentityLoginModule hides the password in a slightly more secure place. The main possible advantage of using the ConfiguredIdentityLoginModule is that it provides an easy way to switch to a different login module for your datasource should that become appropriate. For instance, you can use the CallerIdentityLoginModule so users are logged in to the database as who they logged into the app as.

                      • 9. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
                        Nathalie Newbie

                        Hi all,

                        When using the DatabaseServerLoginModule, do you have to implement a CallbackHandler and so on in a login servlet, to login or the DatabaseServerLoginModule checks credentials for you? and for a login.jsp, you just need to configure the xml files?


                        • 10. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
                          Maria Consuelo Franky Newbie


                          I have had many problems with the security configuration using the DataBaseServerLoginModule.

                          Finally, with the help of several mails in this list, I have succeded with the configuration in Jboss 3.0.6.

                          I thanks to people contributing to this topic: I have made my configuration following your indications. I have configurated only a DataBaseServerLoginModule; the ConfiguredIdentiyLoginModule was not necessary.

                          These are the important points of my security login configuration for Jboss 3.0.6 using a Postgresql datasource:

                          1- The datasource is configurated in the file postgres-service.xml of the directory /usr/local/jboss-3.0.6/server/default/deploy:

                          <depends optional-attribute-name="ManagedConnectionFactoryName">
                          <!--embedded mbean-->


                          <config-property name="ConnectionURL" type="java.lang.String">jdbc:postgresql://joropo.cincosoft.com.co:5432/prueba</config-property>
                          <config-property name="DriverClass" type="java.lang.String">org.postgresql.Driver</config-property>
                          <!--set these only if you want only default logins, not through JAAS -->
                          <config-property name="UserName" type="java.lang.String">postgres</config-property>
                          <config-property name="Password" type="java.lang.String">postgres</config-property>


                          2- In the Postgresql database, I created and filled the tables:

                          CREATE TABLE Principals (PrincipalID VARCHAR(64) PRIMARY KEY, Password VARCHAR(64));
                          CREATE TABLE Roles (PrincipalID VARCHAR(64),Role VARCHAR(64), RoleGroup VARCHAR(64));

                          3- The DataBaseServerLoginModule is configurated in file login-config.xml of the directory /usr/local/jboss-3.0.6/server/default/conf :

                          <application-policy name = "example">

                          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                          flag = "required">
                          <module-option name = "dsJndiName">java:/PostgresDS</module-option>
                          <module-option name = "principal">postgres</module-option>
                          <module-option name = "principalsQuery">select Password from principals where PrincipalID=?</module-option>
                          <module-option name = "rolesQuery">select Role, RoleGroup from roles where PrincipalID=?</module-option>
                          <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=PostgresDS</module-option>
                          <module-option name = "unauthenticatedIdentity">scott</module-option> -->


                          4 - The jboss-web.xml use "example" security domain :

                          <?xml version="1.0" encoding="UTF-8"?>


                          I hope this helps

                          Maria Consuelo Franky

                          • 11. Re: DataBaseServerLoginModule & ConfiguredIdentiryLoginModul
                            alan l batongbacal Newbie

                            You can think of the entities who use your app's services as one group that is authenticated through their user IDs and role IDs; it is that group whose auth needs are served by the DatabaseServerLoginModule, and therefore belong to an authentication domain "A". At the same time, the DatabaseServerLoginModule itself needs to authenticate itself to the DBMS by means of a (user ID, password) pair; it belongs to an authentication domain "B", and its auth needs are served by a ConfiguredIdentityLoginModule. Both A and B need to authenticate themselves to that which they access (the app for A, the DBMS for B), hence the need for both to be present.

                            The SecurityDomainJndiName in mysql-service.xml refers to the ConfiguredIdentityLoginModule realm, because the MySQL service belongs to domain B, not A. Similarly, the security domain specified in the app's jboss-web.xml refers to
                            A, not B, because entities accessing the app belong to domain A.

                            It seems to me that one could have both A and B's auth needs served by a single DatabaseServerLoginModule, but so far, I haven't been able to make such a config work.