0 Replies Latest reply on Dec 4, 2003 11:36 AM by Giovanni Formenti

    Status 403

    Giovanni Formenti Newbie

      Hi!
      I'd like to create a war with some security constraints!

      I modify login-config.xml and I create the database's tables:
      <application-policy name = "dafne">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "dsJndiName">java:/MySqlDS</module-option>
      <module-option name = "principalsQuery">SELECT PASSWORD FROM PRINCIPALS WHERE PRINCIPAL_ID=?</module-option>
      <module-option name = "rolesQuery">SELECT ROLE,ROLEGROUP FROM ROLES WHERE PRINCIPAL_ID=?</module-option>
      </login-module>

      </application-policy>

      I create jboss-web.xml:
      <jboss-web>
      <security-domain>java:/jaas/dafne</security-domain>
      </jboss-web>

      And finally I put the web constraints:
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected</web-resource-name>
      <url-pattern>/index.jsp</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>admin</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>default</realm-name>
      </login-config>
      <security-role>
      <role-name>admin</role-name>
      </security-role>

      The authantication works good:
      xxx.xxx.xxx.xxx - admin [04/Dec/2003:18:28:16 1000] "GET /aaa/index.jsp HTTP/1.1" 403 839
      but a 403 will appear:
      Access to the specified resource (Access to the requested resource has been denied) has been forbidden

      Maybe JBoss can't bound username with role...
      Why this don't work!? What I miss?!
      Help me please!!!

      Gio