1 Reply Latest reply on Sep 26, 2002 10:53 AM by Darko Mulej

    BASIC authentication problems

    Darko Mulej Newbie

      Hi!

      I'm unable to use BASIC authentication in JBoss-302 (integrated with Jetty). My ear consists of 1 jar (EJBs) and 1 war file. I'm following
      JBoss 3.0 Quick start guide (v4) in here are files I'm using:
      1 users.properties:
      # The username to password mapping properties file
      # java=echoman
      # duke=javaman

      darko=darko
      boss=jboss

      2. roles.properties:
      # The username to role(s) mapping properties file
      # java=Echo
      # duke=Java,Coder
      # java.CallerPrincipal=caller_java
      # duke.CallerPrincipal=caller_duke

      darko=myrole
      boss=bossrole

      3. login-config.xml snippet:
      <application-policy name = "zzRealm">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "requisite" />
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>

      </application-policy>

      All these files are located in JBOSS_HOME/server/default/conf

      4. web.xml snippet:
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>SecretPages</web-resource-name>
      <url-pattern>/secret/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>bossrole</role-name>
      </auth-constraint>
      </security-constraint>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>my SecretPages</web-resource-name>
      <url-pattern>/mysecret/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>myrole</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>zzRealm</realm-name>
      </login-config>

      <security-role>
      boss
      <role-name>bossrole</role-name>
      </security-role>
      <security-role>
      custom
      <role-name>myrole</role-name>
      </security-role>


      When I want to access restricted files, login panel appears but then regardless of my input access to restricted
      file is granted and next lines are logged to server.log (in this case username dar was typed - which is not in
      users.properties):

      2002-09-26 12:33:43,495 DEBUG [org.jboss.jetty.security.JBossUserRealm#zzRealm] JBossUserPrincipal: dar
      2002-09-26 12:33:43,495 DEBUG [org.jboss.jetty.security.JBossUserRealm#zzRealm] created JBossUserRealm::JBossUserPrincipal: dar
      2002-09-26 12:33:43,495 DEBUG [org.jboss.jetty.security.JBossUserRealm#zzRealm] authenticating: Name:dar Password:****
      2002-09-26 12:33:43,495 DEBUG [org.jboss.jetty.security.JBossUserRealm#zzRealm] authenticated: dar
      2002-09-26 12:33:43,495 DEBUG [org.jboss.jetty.security.JBossUserRealm#zzRealm] setting JAAS subjectAttributeName(j_subject) : null
      2002-09-26 12:33:43,495 DEBUG [org.jboss.jetty.security.JBossUserRealm#zzRealm] JBossUserPrincipal: dar is in Role: bossrole

      The bottom line is: every user gets all access and it seems that users.properties and roles.properties
      are not read.

      Any idea what am I missing?

      Darko