2 Replies Latest reply on Oct 27, 2002 2:39 PM by John Snyder

    DatabaseServerLoginModule - failing authentication?

    John Snyder Newbie

      Hello all,

      I am trying to use the DatabaseServerLoginModule with jboss-3.0.0_tomcat-4.0.3, using a FORM login. All I am trying to do at this point is to secure a JSP page called Office.jsp.

      When I try to go to the JSP page, the login page comes up, as expected based on the web.xml configuration. When I fill in the username and password (for j_username and j_password), then click the submit button (action="j_security_check"), the JBoss console displays, "Added PC_CloudscapeDbRealm, org.jboss.security.plugins.SecurityDomainContext@a631cc to map", which I believe is telling me that JBoss is applying the PC_CloudscapeDbRealm security realm, which is what I want.

      My problem is twofold:
      First, I am not authenticated when I log in with a username/password combination that should pass authentication (the combination is in my security table).
      Second, if authentication fails, I should be redirected to the failed login page specified in my web.xml file, but I am not -- instead, the web browser just displays a Status 403 page, saying, "message Access to the requested resource has been denied" and "description Access to the specified resource (Access to the requested resource has been denied) has been forbidden."
      Can anyone please explain this behavior, and more importantly, how to fix it? The relevant configuration files are as follows (in relevant part):

      web.xml:
      <!-- Security -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Office</web-resource-name>
      <url-pattern>/jsp/Office.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <!-- Anyone with one of the listed roles may access this area -->
      <role-name>Player</role-name>
      </auth-constraint>
      </security-constraint>

      <!-- The <realm-name> in web.xml must match with the <application-policy> entry in
      login-config.xml for JBoss' JAAS -->
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>PC_CloudscapeDbRealm</realm-name>
      <form-login-config>
      <form-login-page>/html/Login.html</form-login-page>
      <form-error-page>/html/Login.html?valid=no</form-error-page>
      </form-login-config>
      </login-config>

      jboss-web.xml (in WEB-INF directory of war file):
      <jboss-web>
      <security-domain>java:/jaas/PC_CloudscapeDbRealm</security-domain>
      </jboss-web>

      login-config.xml:
      <application-policy name = "CloudscapeDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
      <module-option name = "principal">pc</module-option>
      <module-option name = "userName">pc</module-option>
      <module-option name = "password"></module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=CloudscapeDS</module-option>
      </login-module>

      </application-policy>

      <application-policy name = "PC_CloudscapeDbRealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
      <module-option name="dsJndiName">java:/CloudscapeDS</module-option>
      <module-option name="principalsQuery">select password from app.Player where playername=?</module-option>
      <module-option name="rolesQuery">select securityRoleName, securityRoleGroupName from app.SecurityRole where principalid=?</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=CloudscapeDS</module-option>
      </login-module>

      </application-policy>

      Any help would be greatly appreciated.

      Thanks a lot in advance,

      -- John




        • 1. Re: DatabaseServerLoginModule - failing authentication?
          John Snyder Newbie

          On further testing and research, it looks like I was not failing authentication -- rather, I was authenticated, but I was not assigned the role, "Player".

          This explains why I was not routed to the authentication failure page. However, I am still at a loss to see why I am not being placed in the "Player" role.

          I am logging in with a username of "jrssnyder", the DatabaseServerLoginModule specifies a rolesQuery of "select securityRoleName, securityRoleGroupName from app.SecurityRole where principalid=?", and when I run the query, " select securityRoleName, securityRoleGroupName from app.SecurityRole where principalid='jrssnyder' " I get back: a securityRoleName of "Player" and a securityRoleGroupName of "PlayerGroup".

          Yet, when I create a JSP page to handle the 403 error, request.isUserInRole(''Player'') returns false.

          Why would this be?

          Please help if you can,

          -- Thanks a lot.

          • 2. Re: DatabaseServerLoginModule - failing authentication?
            John Snyder Newbie

            I solved this problem. For those who are interested:

            1) Apparently, the DatabaseServerLoginModule does not like underscores in the application-policy name,

            and/or

            2) The value of the role group column must be 'Roles'.

            Hope somebody besides me can learn something from this.