1 Reply Latest reply on Dec 30, 2003 12:48 PM by lhg

    LoginOK, but got 403- access denied

    lhg Newbie

      I am using JAAS DataBaseServerLoginModule to protect my web pages, confirguration seems OK, but with correct userid & password, I still got "HTTP Status 400 - Invalid direct reference to form login page".
      I checked all xml files are valid. I wrote a test page found both request.getUserPrincipal() and request.getRemoteUser() returns null after login.
      What was the problem?

      I am using Jboss3.2.3



      this is the log:
      17:40:39,717 TRACE [DatabaseServerLoginModule] initialize
      17:40:39,733 TRACE [DatabaseServerLoginModule] Passworg hashing activated: algorithm = MD5, encoding = HEX
      17:40:39,733 TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/BOADS
      17:40:39,733 TRACE [DatabaseServerLoginModule] principalsQuery=SELECT password FROM Users WHERE loginID=?
      17:40:39,733 TRACE [DatabaseServerLoginModule] rolesQuery=SELECT role_name, role_desc FROM vUserRole WHERE loginID=?
      17:40:39,733 TRACE [DatabaseServerLoginModule] login
      17:40:39,748 TRACE [DatabaseServerLoginModule] User 'tester' authenticated, loginOk=true
      17:40:39,748 TRACE [DatabaseServerLoginModule] commit, loginOk=true

      this is my web.xml: user 'tester' has role 'C'
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Area for registed user</web-resource-name>
      <url-pattern>/ds/*</url-pattern>
      <url-pattern>/index.jsp</url-pattern>
      <url-pattern>/home.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>A</role-name>
      <role-name>B</role-name>
      <role-name>C</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>BoARealm</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <role-name>A</role-name>
      </security-role>
      <security-role>
      <role-name>B</role-name>
      </security-role>
      <security-role>
      <role-name>C</role-name>
      </security-role>

      login-config.xml
      <application-policy name = "BoARealm">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
      <module-option name="dsJndiName">java:/BOADS</module-option>
      <module-option name="principalsQuery">SELECT password FROM Users WHERE loginID=?</module-option>
      <module-option name="rolesQuery">SELECT role_name, role_desc FROM vUserRole WHERE loginID=?</module-option>
      <module-option name="hashAlgorithm">MD5</module-option>
      <module-option name="hashEncoding">HEX</module-option>
      </login-module>

      </application-policy>

      jboss-web.xml:
      <jboss-web>
      <security-domain>java:jaas/BoARealm</security-domain>
      </jboss-web>


      thanks to any comment.