1 Reply Latest reply on Jan 14, 2003 7:14 AM by Thomas Nagel

    User 'null' in Jetty

    Thomas Nagel Newbie

      Hi,

      I am trying to port an Struts - web app from Resin/Jboss 3.0.2 to JBoss 3.0.2 / Jetty (integrated).

      The app uses Form-based login to access a welcome page and then accesses several EJBs via some Struts Actions. Login is done via JBoss / JAAS login-conf, using two modules with 'sufficient' flag:

      <application-policy name = "blah-security">
      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag="sufficient">
      <module-option name="dsJndiName">java:/OracleDS</module-option>
      <module-option name="principalsQuery">SELECT ...</module-option>
      <module-option name="rolesQuery">SELECT ...</module-option>
      </login-module>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "sufficient" />

      </application-policy>

      web.xml looks like this:
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Adminconsole</web-resource-name>
      Adminconsole
      <url-pattern>/content/*</url-pattern>
      </web-resource-collection>

      <auth-constraint>
      Registered Admins
      <role-name>common.SuperAdmin</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <!--
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Admin area</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginerr.jsp</form-error-page>
      </form-login-config>
      </login-config>
      -->
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Admin area</realm-name>
      </login-config>

      <security-role>
      <role-name>common.SuperAdmin</role-name>
      </security-role>

      Struts conf (example):


      Results:
      - Login works (form based and basic)
      - JSPs display user / Principal correct if I use request.getRemoteUser / request.getPrincipal

      Every other access (EJBs, Struts Actions, Servlets) does not work

      Message (for Struts actions) :
      2003-01-08 15:36:12,099 DEBUG [org.apache.struts.action.RequestProcessor] User
      'null' does not have any required role, denying access

      Seems the user disapears.

      Any ideas?

        • 1. Re: User 'null' in Jetty
          Thomas Nagel Newbie

          Greg told me the following:

          -- quote start -------------------------------------------

          The problem is the spec. It does not make it clear what the status of the authentication methods should be when a security constraint is not passed.

          Authentication can be very expensive - specially if your
          Realm is remote. Thus just because there is an auth
          constraint on /secret/* does not mean that every
          request to /images/* should be authenticated - even if the
          browser is providing the credentials un-asked for.

          Containers differ on how they implement this. Tomcat always authenticates if the credentials are provided and avoids the expense by caching authentication. This is not a safe approach as authentication can be revoked in real time.

          Jetty implements this by only authenticating when a authentication constraint is passed.

          I [Greg] have a proposal in the JSR that getRemoteUser should always return the name - if known. But getAuthType(), isUserInRole and getUserPrincipal should only work if an auth constraint is passed.

          -- quote end -------------------------------------------