2 Replies Latest reply on Oct 17, 2002 4:14 PM by x

    FORM authentication with JBoss3.0.0-Tomcat4.0.3

    x Newbie

      hi

      i am having the same problem with FORM authentication using JBoss3.0.0-Tomcat4.0.3

      I am taken to the logon.jsp page when I am trying to access a secured resource, but the authentication does not work at all. One could get in with any username/password combination. I do not see any trace of the JDBC Realm being invoked by Tomcat to perform the authentication. I guess I have some piece missing.

      Here is a list of my XML config files,
      jboss_home/server/default/conf/login-config.xml

      **********************************************************
      <!-- The XML based JAAS login configuration read by the
      org.jboss.security.auth.login.XMLLoginConfig mbean. Add
      an application-policy element for each security domain.

      The outline of the application-policy is:
      <application-policy name="security-domain-name">

      <login-module code="login.module1.class.name" flag="control_flag">
      <module-option name = "option1-name">option1-value</module-option>
      <module-option name = "option2-name">option2-value</module-option>
      ...
      </login-module>

      <login-module code="login.module2.class.name" flag="control_flag">
      ...
      </login-module>
      ...

      </application-policy>

      $Revision: 1.1.2.1 $
      -->


      <!-- Used by clients within the application server VM such as
      mbeans and servlets that access EJBs.
      -->
      <application-policy name = "client-login">

      <login-module code = "org.jboss.security.ClientLoginModule"
      flag = "required">
      </login-module>

      </application-policy>

      <!-- Security domain for JBossMQ -->
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "sm.objectnam">jboss.mq:service=StateManager</module-option>
      </login-module>

      </application-policy>

      <!-- Security domains for testing new jca framework -->
      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "FirebirdDBRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">sysdba</module-option>
      <module-option name = "userName">sysdba</module-option>
      <module-option name = "password">masterkey</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "JmsXARealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
      </login-module>

      </application-policy>

      <!-- The default login configuration used by any security domain that
      does not have a application-policy entry with a matching name
      -->
      <application-policy name = "other">
      <!-- A simple server login module, which can be used when the number
      of users is relatively small. It uses two properties files:
      users.properties, which holds users (key) and their password (value).
      roles.properties, which holds users (key) and a comma-separated list of
      their roles (value).
      The unauthenticatedIdentity property defines the name of the principal
      that will be used when a null username and password are presented as is
      the case for an unuathenticated web client or MDB. If you want to
      allow such users to be authenticated add the property, e.g.,
      unauthenticatedIdentity="nobody"
      -->

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      <application-policy name = "MSSQLDBRealm2">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
      flag = "required">
      <module-option name = "principal">guest</module-option>
      <module-option name = "userName">guest</module-option>
      <module-option name = "password">guest</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=compquick_DS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "MSSQLDbRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name="dsJndiName">java:/compquick_DS</module-option>
      <!--<module-option name = "principal">fund_adv</module-option>-->
      <module-option name = "principalsQuery">select Password from Principal where Login=?</module-option>
      <module-option name = "rolesQuery">select User_Role_Name from User_Role_Principal where Principal_ID=?</module-option>
      <!--<module-option name="unauthenticatedIdentity">nobody</module-option>-->
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=compquick_DS</module-option>-->
      </login-module>

      </application-policy>


      *********************************************************

      /WEB-INF/web.xml

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>II Resource</web-resource-name>
      <url-pattern>/quote_management/*</url-pattern>
      <!--<url-pattern>*.html</url-pattern>-->
      <!--II Resource Description-->
      </web-resource-collection>
      <auth-constraint>
      <role-name>agent</role-name>
      <!--II Users-->
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>MSSQLDbRealm</realm-name>
      <form-login-config>
      <form-login-page>/logon.jsp</form-login-page>
      <form-error-page>/logon_error.jsp</form-error-page>
      </form-login-config>
      </login-config>
      **********************************************************

      jboss-web.xml

      <jboss-web>

      <security-domain>java:/jaas/MSSQLDbRealm</security-domain>

      </jboss-web>
      *********************************************************

      jboss_home/server/default/deploy/tomcat4-service.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <!-- Set catalina.home to the location of the Tomcat-4.x dist.
      The default value is that of the JBoss/Catalina bundle where the
      jakarta-tomcat-4.0.3-LE-jdk14 is included as jboss_dist/catalina
      -->
      <!DOCTYPE server [
      <!ENTITY catalina.home "../catalina">
      ]>
      <!-- The service configuration for the embedded Tomcat4 web container
      -->







      &catalina.home;












      <!-- A HTTP Connector on port 8080 -->







      *********************************************************

      Please take a look at the files pasted above and let me know if i am missing something/done something wrong with the config.