1 Reply Latest reply on Oct 5, 2002 2:06 AM by richardberger

    Can't get j_security_check to work in JBoss 3.0.2... please

    richardberger

      Strangely, I have no problems getting JAAS working through a database, but I wanted to try the "simple" way using j_security_check.

      Initially things look fine - I enter a protected URL and the login2.jsp pops up. However, whatever user/password I type in, the system authenticates it as valid.

      The relevant section of my web.xml looks like:
      <security-constraint>
      <display-name>JBossAdmin</display-name>
      <web-resource-collection>
      <web-resource-name>drillservlet</web-resource-name>
      An example security config that only allows users with the role DSUser to access signin
      <url-pattern>/app/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>DSUser</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>DrillSgt</realm-name>
      <form-login-config>
      <form-login-page>/login2.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      <role-name>DSUser</role-name>
      </security-role>
      <security-role>
      <role-name>JBossAdmin</role-name>
      </security-role>

      I have the DrillSgt realm specified in the login-config.xml file as:
      <application-policy name = "DrillSgt">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "dsJndiName">java:/DrillDB</module-option>
      <module-option name = "principalsQuery">select Password from UserDS where Email = ?</module-option>
      <module-option name = "rolesQuery">select Role, RoleGroup from RoleDS where Email = ?</module-option>
      </login-module>

      </application-policy>

      And it is also in the jboss-web.xml file as:
      <?xml version="1.0" encoding="UTF-8" ?>
      <jboss-web>
      <security-domain>java:/jaas/DrillSgt</security-domain>
      </jboss-web>

      Any ideas what I am doing wrong? I have searched and searched in this forum, but nothing seems to help. I am just trying to see how j_security_check works - the JAAS code that already works is what I will use in my application - but curiousity has gotten the better of me.

      Thanks in advance for any help!!!
      RB