0 Replies Latest reply on Sep 11, 2002 2:04 AM by Gavin Hughes

    Chaining login modules

    Gavin Hughes Newbie

      I'm trying to set up a chain of login modules to support
      authenticating users accessing a web application.

      I can get the UsersRolesLoginModule to work fine,
      but I'm now trying to chain this with the
      DatabaseServerLoginModule, with little success.

      If I attempt to login with user credentials for a
      user stored in the properties files for
      UsersRolesLoginModule, I get an exception from the
      DatabaseServerLoginModule.

      Vice versa, if I attempt to login with user credentials
      for a user stored in the database for
      DatabaseServerLoginModule , I get an exception from the
      UsersRolesLoginModule.

      The relevant section from login-conf.xml is :

      <application-policy name = "WebSecurityRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "sufficient">

      <module-option name = "dsJndiName">java:/OracleDS</module-option>
      <module-option name = "principalsQuery">select Password from Principals where PrincipalId=?</module-option>
      <module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalId=?</module-option>

      <module-option name = "unauthenticatedIdentity">nobody</module-option>

      </login-module>

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "sufficient" >

      <module-option name = "usersProperties">users.properties</module-option>
      <module-option name = "rolesProperties">roles.properties</module-option>
      <module-option name = "unauthenticatedIdentity">nobody</module-option>

      </login-module>

      </application-policy>

      From the documentation, I'm under the impression that
      setting "flag=sufficient" for each login module means
      that if a login module succeeds, then authentication is
      successful, otherwise the next login module in the chain
      is called. Is this correct ?

      Can someone point out what is wrong in the configuration
      above ?

      I'm using JBoss3.0.0, XDoclet 1.1.2 and Oracle 9i on Windows XP.

      Thanks,
      Gavin.