OK, I'm totally confused, and reading the messages on this forum hasn't helped -- others have had this problem but no solutions have been posted (that I've seen).
OK, a little background. We have a product with an EJB backend and a web (JSP/servlets/JavaBean/Applet) front end (JBoss 2.4.9/Tomcat4.0.4) and now we are trying to add security to it. Using a client java app, I can easily implement EJB-tier declaritive security. But when I tried moving that over to the web interface, I came across many, many problems.
What I'd like to do is get the user to authenticate via a web form once, then have that authentication used whenever they access a page that accesses a restricted EJB. Apparently I have to get the authenticated user id to propagate to the EJB tier, but that isn't working. Somewhere someone said to secure the web components and use the ClientLoginModule, but that didn't seem to work either.
Anyway, I'm taking a step back -- I've gotten EJB-tier security to work in isolation, but I still haven't gotten web-tier security to work. Here's what I've got....
Declarative security tests
<?xml version="1.0" encoding="UTF-8"?>
As I understand it, whenever I try to access thresholdBrowser/blankPage.jsp, a dialog should pop-up, allowing me to enter a user id/password.
This does happen, but when I press OK, it pops up again (a total of 3 times, I believe) followed by a Status 401-Unauthorized error page.
Btw, if I put the 'profiler' security domain in the jboss/conf/<>/auth.conf, then I don't get the pop-up at all -- I just get status 403 error page. To be honest, I don't think my client/auth.conf file is getting picked up.
> To be
> honest, I don't think my client/auth.conf file is
> getting picked up.
That is right. Servlets run inside the server VM and get their security stuff from login-config.xml in the server/whatever/conf directory (and maybe from the auth.conf file in the same directory, but that is only for backwards compatability). So put your login configuration for 'profiler' in this login-config.xml file and everything will work as you expected.
What is this login-config.xml file? I've yet to see where it should be located -- I was under the impression that it was a JBoss 3.X thing (I'm running 2.4.9).
it is the equivalent of auth.conf on the server side in 3.x
Sorry, i didn't notice you were running 2.4....
However, my remark is still valid i think, in the sense that the client/auth.conf is not picked by the server (but, as Juhu pointed out, the other one is...)
Oops, that should be "Juha" of course....