5 Replies Latest reply on Feb 6, 2003 4:25 PM by Peter Doornbosch

    web-tier security

    Joseph Pelle Newbie

      OK, I'm totally confused, and reading the messages on this forum hasn't helped -- others have had this problem but no solutions have been posted (that I've seen).

      OK, a little background. We have a product with an EJB backend and a web (JSP/servlets/JavaBean/Applet) front end (JBoss 2.4.9/Tomcat4.0.4) and now we are trying to add security to it. Using a client java app, I can easily implement EJB-tier declaritive security. But when I tried moving that over to the web interface, I came across many, many problems.

      What I'd like to do is get the user to authenticate via a web form once, then have that authentication used whenever they access a page that accesses a restricted EJB. Apparently I have to get the authenticated user id to propagate to the EJB tier, but that isn't working. Somewhere someone said to secure the web components and use the ClientLoginModule, but that didn't seem to work either.

      Anyway, I'm taking a step back -- I've gotten EJB-tier security to work in isolation, but I still haven't gotten web-tier security to work. Here's what I've got....

      web.xml
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted</web-resource-name>
      Declarative security tests
      <url-pattern>/thresholdBrowser/blankPage.jsp</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>guest</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Threshold Realm</realm-name>
      </login-config>

      <security-role>
      <role-name>guest</role-name>
      </security-role>

      jboss/client/auth.conf
      profiler {
      org.jboss.security.auth.spi.SimpleServerLoginModule required;
      };

      jboss-web.xml
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
      <security-domain>java:/jaas/profiler</security-domain>

      </jboss-web>

      As I understand it, whenever I try to access thresholdBrowser/blankPage.jsp, a dialog should pop-up, allowing me to enter a user id/password.

      This does happen, but when I press OK, it pops up again (a total of 3 times, I believe) followed by a Status 401-Unauthorized error page.

      Btw, if I put the 'profiler' security domain in the jboss/conf/<>/auth.conf, then I don't get the pop-up at all -- I just get status 403 error page. To be honest, I don't think my client/auth.conf file is getting picked up.