3 Replies Latest reply on Jul 1, 2012 3:29 AM by James Chan

    Problem w/ BASIC web auth Database

    Brian DeCamp Newbie

      Having a bit of a problem with BASIC auth using DatabaseServerLoginModule for my web app on JBoss 3.2.1/Jetty:

      Here's my stuff:

      web.xml
      ========
      <web-app>
      ...
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>All pages</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>AuthenticatedUser</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>WebSecurityDomain</realm-name>
      </login-config>

      <security-role>
      <role-name>AuthenticatedUser</role-name>
      </security-role>
      </web-app>

      jboss-web.xml
      ==========
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
      <security-domain>java:/jaas/WebSecurityDomain</security-domain>
      </jboss-web>

      login-config.xml
      ===========

      ...
      <application-policy name="WebSecurityDomain">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="principalsQuery">select '' passwd from tblUser where UserName = ?</module-option>
      <module-option name="rolesQuery">select 'AuthorizedUser' 'Role', 'AuthorizedUser' 'RoleGroup' from tblUser where UserName = ?</module-option>
      </login-module>

      </application-policy>


      ==== end stuff ==========

      I admit I'm confused about the difference between a Role and a RoleGroup, so I'm just returning "AuthorizedUser" for both of them.

      I get the login prompt, and if I type in a bogus username I get:

      WARNING: AUTH FAILURE: user xxxx

      If I give it a user that exists, regardless of the value of the Role and RoleGroup I return from the query, I get:

      WARNING: AUTH FAILURE: role for goodUsername

      Another deficit I may have is understanding when to use auth.conf. All the examples I've seen for this are used with client applications connecting to the app server. I don't think I need an auth.conf if I'm just doing web auth right now. Do I need to map "AuthorizedUser" to another context or something?

      TIA,
      Brian

        • 1. Re: Problem w/ BASIC web auth Database
          Brian DeCamp Newbie

          <desperate-plea>
          PLEASE! I'm in pain!

          I've read every line of the Admin Guide, Scott's JavaWorld article, and somebody's post on JavaRanch at least four times. I've read over 100 posts to this forum looking for clues, and I've found lot's of people frustrated with security, but little in the way of answers. I've resorted to hours upon hours of changing lines in my deployment that I know won't make a difference, and they don't. I'm trying to switch my production app from BEA to JBoss next week, but I'm stumped!
          </desperate-plea>

          What I don't get is this: In my web.xml I specify the role for an auth-constraint. Is this the exact same role that needs to be returned from my rolesQuery Role and/or RoleGroup? In classic J2EE fashion, shouldn't there be some mapping between a role specified in the web.xml to a role in my deployment environment? If so, how do I do this? Returning the same value doesn't seem to work, unless I've unwittingly messed that up somehow...

          On another note, Scott originally wrote his JavaWorld examples for 2.4. Do they work verbatim in 3.2?

          • 2. Re: Problem w/ BASIC web auth Database
            Brian DeCamp Newbie

            OK. Finally, I found the secret key.

            The answer, as some of you on the inside have already guessed, was that there is a second column to the rolesQuery with a constant value of 'Roles', the only value that JBoss accepts.

            Now that I know the answer, I can see in the Admin book where the constant value was used, but nothing was said about why it was there, and there was no special attention drawn to these obscure little bytes. Scott's JavaWorld article did not have this constant, and no mention of RoleGroup except in the example for UsersRolesLoginModule.

            Forgive me for being new, but is it possible to add one line to the Admin PDF that draws attention to this at the bottom of page 417? I see that there are other careless souls who have made my mistake, and surely more to come.

            Thanks,
            Brian

            • 3. Re: Problem w/ BASIC web auth Database
              James Chan Newbie

              Agreed, i'm actually trying to find out what the difference is between role and role group. Would you have an explination you'd be willing to share?