5 Replies Latest reply on Oct 25, 2002 6:25 PM by Tarwinder Dhak

    isUserInRole() method fails

    Tarwinder Dhak Newbie

      Hi,

      I'm using JBoss 3.0 with Tomcat 4.0.3 under Linux.

      I have a strange problem where while using form based authentication, and the database login module. I have a web application in which a portion is secured in the normal way through the web.xml file. I also have a jboss-web.xml file specifing a security domain (AMSDbRealm).

      I have created a realm called AMSDbRealm, which uses the database login module with a MySQL datasource (AMSDS).

      I've updated the default configuration login-conf.xml file to include the following policy :-

      <application-policy name = "AMSDbRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name = "dsJndiName">java:/AMSDS</module-option>
      <module-option name = "unauthenticatedIdenty">notauthed</module-option>
      <module-option name = "principalsQuery">select password from USER where username=?</module-option>
      <module-option name = "rolesQuery">select user_role,user_group from ROLE where username=?</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=AMSDS</module-option>
      </login-module>

      </application-policy>

      I've made sure the above queries work in the mysql database, by entering them direct into a command prompt.

      Now, the web app begins to behave as expected, when I try to access a restricted area of the web app, a login page is displayed; I enter the username(test) and password, and I receive a http 403 error.

      Upon further investigation I realised that the user was being authenticated as expected, but the roles were not being assigned as they should be. To further confirm this theory, I secured my web app with a role of * (any role), and the web app works as normal.

      Then I created a jsp page that calls isUserInRole("AuthorisedUser"), and found it returns false.

      So I then tried getting more info out of jboss by trying to increaseing(TRACE) logging on various classes, and got the following output imediately after authentication :-

      2002-09-30 03:02:32,241 TRACE [org.jboss.security.plugins.JaasSecurityManager.AMSDbRealm] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@43a083
      2002-09-30 03:03:22,804 TRACE [org.jboss.security.plugins.JaasSecurityManager.AMSDbRealm] updateCache, subject=Subject:
      Principal: test
      Principal: AuthorisedUser

      2002-09-30 03:03:22,839 TRACE [org.jboss.security.plugins.JaasSecurityManager.AMSDbRealm] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@5e7020

      So now I'm completely bemused and am in need of some help. Sorry for such a lengthy post, but I didn't want to miss any important info for you guys to help.

      Any help would be very much appreciated, thanks.

      Tarwinder Dhak