13 Replies Latest reply on Feb 3, 2003 2:15 AM by Gary Kephart

    Simple Securing of a Web Page

    Bruce Ferguson Newbie

      I posted this in the Beginner's Corner but did not get any responses. I think that it is a very basic thing, I am just new to JBOSS and J2EE in general.

      I have been trying to pull together just a simple example of how to secure a web page. I have a web page called: Secured.html in the directory com/pav/web.

      When I attempt to access the Secured.html page, it pops up the Basic Auth dialog. Then, no matter what I type in for username and password, it takes me to the Secured.html screen.

      I'm sure that I am missing something really basic.

      Most of the stuff in the files below are pulled together as best I can figure out from the JBOSS documentation.

      Thanks in advance,
      --Bruce

      ------- web.xml snippet --------
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>The Login Stuff</web-resource-name>
      <url-pattern>/com/pav/web/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>AuthorizedUser</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>The Restricted Zone</realm-name>
      </login-config>

      <security-role>
      The role required to access
      <role-name>AuthorizedUser</role-name>
      </security-role>

      --------- jboss-web.xml ----------

      <security-domain>java:/jaas/other</security-domain>


      ---------- the war file ----------
      META-INF/
      META-INF/MANIFEST.MF
      com/
      com/pav/
      com/pav/web/
      com/pav/web/Secured.html
      users.properties
      roles.properties
      WEB-INF/
      WEB-INF/web.xml
      WEB-INF/jboss-web.xml

        • 1. Re: Simple Securing of a Web Page
          James Moring Newbie

          The "other" security domain is normally mapped to a simple login module that accepts any login/password pair. Try setting up the UserRolesLoginModule. It allows multiple users and roles to be setup by creating two property files.

          • 2. Re: Simple Securing of a Web Page
            Bruce Ferguson Newbie

            I am apparently more confused that I thought.

            I looked in the 'login-config.xml' and found the "other" policy and it appears to be configured as a "UsersRolesLoginModule". The description of this policy in the comments seem to imply that it is uses the two property files that you mention.

            Confused..
            --Bruce II

            • 3. Re: Simple Securing of a Web Page
              James Moring Newbie

              No, you are not confused. I forgot I removed the other from my login-config.xml. I thought it was being picked up from auth.conf where it is using the simple server login module. Sorry for the confusion.

              • 4. Re: Simple Securing of a Web Page
                Bruce Ferguson Newbie

                Glad I am not completely confused!!!
                However, I still do not know why it doesn't work.

                I also went and changed it to be FORM based instead of BASIC, created a simple login form with the j_username, j_password fields and ACTION="j_security_check".

                Just like the BASIC auth example above, no matter what I type in the username and password fields, it takes me to the secured page.

                I have run out of ideas to try??????

                • 5. Re: Simple Securing of a Web Page
                  Bruce Ferguson Newbie

                  Another bit if information is that it does not seem to care what I put in my jboss-web.xml file for the security domain.

                  I can change it to: java:/fred/barney and the application behaves just as it did before.

                  However, I know that it is parsing the file because if I put something in the file that violates the structure of the file (like misspelling <security-domain>), it throws an exception on deployment.

                  • 6. Re: Simple Securing of a Web Page
                    James Moring Newbie

                    What other domains are defined in your login-config.xml?
                    Are any of them using the SimpleServerLoginModule?

                    There is some logic, that escapes me at the moment, regarding presenting the login to all the login modules listed in the configuration. It seems to me that given that the name in the jbossweb.xml does not seem to matter it has to be being picked up by another domain.

                    Did you by any chance introduce a typo in the login-config.xml for the "other" domain?

                    • 7. Re: Simple Securing of a Web Page
                      James Moring Newbie

                      I just noticed that you have the property files in the root of your war file. The login module can not find these files in this location. Try moving them to a location that is on the classpath like the conf directory. If you want to partition the users by web app rename the file and set the property file names properties in login-config.xml.



                      • 8. Re: Simple Securing of a Web Page
                        Jan Stals Newbie

                        this is the most basic authorization that i got working today
                        hope it helps

                        • 9. Re: Simple Securing of a Web Page
                          Bruce Ferguson Newbie

                          I tried moving the user and role file to the conf directory and still it doesn't work.

                          I went to the jmx-console, select JNDIView executed the list method. Here is the results for the java: Namespace

                          ------------------(Begin java: Namespace)------------

                          +- DefaultDS (class: org.jboss.resource.adapter.jdbc.local.LocalDataSource)
                          +- XAConnectionFactory (class: org.jboss.mq.SpyXAConnectionFactory)
                          +- SecurityProxyFactory (class: org.jboss.security.SubjectSecurityProxyFactory)
                          +- DefaultJMSProvider (class: org.jboss.jms.jndi.JBossMQProvider)
                          +- CounterService (class: org.jboss.varia.counter.CounterService)
                          +- comp (class: javax.naming.Context)
                          +- JmsXA (class: org.jboss.resource.adapter.jms.JmsConnectionFactoryImpl)
                          +- ConnectionFactory (class: org.jboss.mq.SpyConnectionFactory)
                          +- jaas (class: javax.naming.Context)
                          | +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
                          | +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
                          | +- http-invoker (class: org.jboss.security.plugins.SecurityDomainContext)
                          +- timedCacheFactory (class: javax.naming.Context)
                          Failed to lookup: timedCacheFactory, errmsg=null
                          +- TransactionPropagationContextExporter (class: org.jboss.tm.TransactionPropagationContextFactory)
                          +- Mail (class: javax.mail.Session)
                          +- StdJMSPool (class: org.jboss.jms.asf.StdServerSessionPoolFactory)
                          +- TransactionPropagationContextImporter (class: org.jboss.tm.TransactionPropagationContextImporter)
                          +- TransactionManager (class: org.jboss.tm.TxManager)

                          --------------------(End java: Namespace)-----------

                          I noticed that under the jaas entry there is: JmsXARealm and jbossmq (both of which are in my login-config.xml) file but all the other ones (such as "other") are not there.

                          Should they be????

                          This is a straight installation (unzip, run.sh -c default) with no changes?

                          Help..............????????
                          --Bruce II

                          • 10. Re: Simple Securing of a Web Page
                            Bruce Ferguson Newbie

                            I apologize if this is posted twice, but machine lost power almost exactly as I pressed the "Post Message" button.

                            I tried moving the user and role file to the conf directory and still it doesn't work.

                            I went to the jmx-console, select JNDIView executed the list method. Here is the results for the java: Namespace

                            ------------------(Begin java: Namespace)------------

                            +- DefaultDS (class: org.jboss.resource.adapter.jdbc.local.LocalDataSource)
                            +- XAConnectionFactory (class: org.jboss.mq.SpyXAConnectionFactory)
                            +- SecurityProxyFactory (class: org.jboss.security.SubjectSecurityProxyFactory)
                            +- DefaultJMSProvider (class: org.jboss.jms.jndi.JBossMQProvider)
                            +- CounterService (class: org.jboss.varia.counter.CounterService)
                            +- comp (class: javax.naming.Context)
                            +- JmsXA (class: org.jboss.resource.adapter.jms.JmsConnectionFactoryImpl)
                            +- ConnectionFactory (class: org.jboss.mq.SpyConnectionFactory)
                            +- jaas (class: javax.naming.Context)
                            | +- JmsXARealm (class: org.jboss.security.plugins.SecurityDomainContext)
                            | +- jbossmq (class: org.jboss.security.plugins.SecurityDomainContext)
                            | +- http-invoker (class: org.jboss.security.plugins.SecurityDomainContext)
                            +- timedCacheFactory (class: javax.naming.Context)
                            Failed to lookup: timedCacheFactory, errmsg=null
                            +- TransactionPropagationContextExporter (class: org.jboss.tm.TransactionPropagationContextFactory)
                            +- Mail (class: javax.mail.Session)
                            +- StdJMSPool (class: org.jboss.jms.asf.StdServerSessionPoolFactory)
                            +- TransactionPropagationContextImporter (class: org.jboss.tm.TransactionPropagationContextImporter)
                            +- TransactionManager (class: org.jboss.tm.TxManager)

                            --------------------(End java: Namespace)-----------

                            I noticed that under the jaas entry there is: JmsXARealm and jbossmq (both of which are in my login-config.xml) file but all the other ones (such as "other") are not there.

                            Should they be????

                            This is a straight installation (unzip, run.sh -c default) with no changes?

                            Help..............????????
                            --Bruce II

                            • 11. Re: Simple Securing of a Web Page
                              Bruce Newbie

                              Hi Bruce,

                              I'm also new to the security part of JBoss so have been working on a simple test case as well.

                              I've attached an EAR file, which contains one really simple WAR file, which should authenticate a use trying to access the index.html page

                              to use:
                              1. deploy
                              2. type http://localhost:8080/test/
                              3. the login is bruce, password bruce

                              Hope it helps you out!
                              Regards
                              Bruce

                              • 12. Re: Simple Securing of a Web Page
                                Gary Kephart Newbie

                                > Hi Bruce,
                                >
                                > I'm also new to the security part of JBoss so have
                                > been working on a simple test case as well.
                                >
                                > I've attached an EAR file, which contains one really
                                > simple WAR file, which should authenticate a use
                                > trying to access the index.html page

                                You're missing the next step. What about "myrealm"? Those are in the web.xml and jboss-web.xml files, but those are client files. What about the server side? Does "myrealm" show up in login-config.xml? What's the connection between "myrealm" and the users.properties and the roles.properties files?

                                • 13. Re: Simple Securing of a Web Page
                                  Gary Kephart Newbie

                                   

                                  "gary_kephart" wrote:
                                  > this is the most basic authorization that i got
                                  > working today
                                  > hope it helps


                                  How is "wrox" mapped to the users.properties and roles.properties files?