14 Replies Latest reply on Mar 17, 2004 5:52 AM by ahardy66

    Problems with FORM Authentication

    Don Griffing Newbie

      I am using JBoss 3.2.3 and having problems with FORM authentication. I am using a custom login module that extends UsernamePasswordLoginModule. When I use BASIC authentication, everything behaves as expected. When I change to FORM authentication, none of the methods in my custom module are invoked so the user does not get authenticated. Below are snippets of the configuration files. What do I need to do to get FORM authentication working?

      login-config.xml

      <application-policy name = "client-login">
       <authentication>
       <login-module code = "org.jboss.security.ClientLoginModule"
       flag = "required">
       </login-module>
       <login-module code = "com.fdsolutions.security.module.LoginModule"
       flag = "required">
       </login-module>
       </authentication>
       </application-policy>


      jboss-web.xml
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">
      
      <jboss-web>
      
       <security-domain>java:/jaas/client-login</security-domain>
       <context-root>/myapp</context-root>
      
       <!-- Resource Environment References -->
      
       <!-- Resource references -->
      
       <!-- EJB References -->
      
      </jboss-web>


      web.xml
      <security-constraint>
       <display-name>Server Configuration Security Constraint</display-name>
       <web-resource-collection>
       <web-resource-name>Protected Area</web-resource-name>
       <url-pattern>*.jsp</url-pattern>
       <url-pattern>*.do</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>user</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>FDS</realm-name>
      <!--
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/login-error.html</form-error-page>
       </form-login-config>
      -->
       </login-config>
       <security-role>
       <description>The role that is required to log in to the application</description>
       <role-name>user</role-name>
       </security-role>
      


        • 1. Re: Problems with FORM Authentication
          Scott Stark Master

          For starters, make sure that the form-login-config is not commented out as currently the case for the given web.xml. Is the login page being displayed at all?

          • 2. Re: Problems with FORM Authentication
            Don Griffing Newbie

            When I attempt to use FORM authentication, I change <auth-method> to FORM and uncomment <form-login-config>. My login form is displayed. I enter valid user credentials and the <form-error-page> is displayed. From the logging that I have included in my custom login module, I know that it is not being accessed.

            • 3. Re: Problems with FORM Authentication
              Don Griffing Newbie

              I really would like to get an answer to this problem. While BASIC authentication works, it has a nasty side-effect due to the fact that the user credentials are cached in the browser.

              • 4. Re: Problems with FORM Authentication
                martin0 Novice

                How about getting it working with the JBoss DatabaseServerLoginModule before trying your own custom module?

                A good starting point might be the updated JavaWorld JAAS Howto paper at http://sourceforge.net/docman/display_doc.php?docid=18240&group_id=22866

                I used that paper and now have form based auth working with a struts application - subsequent restricted page access fails - but that's anothe story.

                Martin

                • 5. Re: Problems with FORM Authentication
                  sunose Newbie

                  I have familiarly question.
                  My issue is:the LDAP autentication is ok.but when I uss response.sendRedirect("check/frame.js");

                  the login page displayed. it is seem the web container is not acknowledge the authentication.

                  who can tell me what cause this?I have study three days.

                  thanks in advance.

                  William

                  • 6. Re: Problems with FORM Authentication
                    Don Griffing Newbie

                    Been offline while setting up a new computer. Before I created my custom login module, I tried the DatabaseServerLoginModule. I had the same problem. I created the custom login module so that I could attempt to track down the location of the problem.

                    • 7. Re: Problems with FORM Authentication
                      martin0 Novice

                      What are you trying to achieve here - not the work arounds etc, but your initial objective?

                      I have form based auth working with DatabaseLoginServerModule, mainly thanks to the paper I mentioned about, that Scott wrote.

                      Martin

                      • 8. Re: Problems with FORM Authentication
                        martin0 Novice

                        "about" should read "above"

                        • 9. Re: Problems with FORM Authentication
                          Don Griffing Newbie

                          I have been out-of-pocket and without Internet access. My primary objective is to use FORM Authentication. I do not necessarily need to use my custom login module. I only created it because the DatabaseLoginServerModule was not logging enough tracing information.

                          The central issue is that whenever I try to use FORM Authentication the logging always fails redirecting to the <form-error-page>. It appears that j_security_check never uses the specified security-domain. Is there something missing from the snippets that I originally provided?

                          • 10. Re: Problems with FORM Authentication
                            Don Griffing Newbie

                            I wish that I could get an answer on this issue. I know that there is a "duh" in the configuration but I cannot find it. Based on the number times this posting has been viewed, I assume that it is a common question.

                            • 11. Re: Problems with FORM Authentication
                              Scott Stark Master

                              You have added no new information in the last few additions to this thread, so try showing the server.log messages from the login. To get more out of the security layer enable trace level logging and ensure the server.log FILE appender does not have a Threshold setting.

                               <category name="org.jboss.security">
                               <priority value="TRACE" class="org.jboss.logging.XLevel"/>
                               </category>
                              



                              • 12. Re: Problems with FORM Authentication
                                ahardy66 Novice

                                Don,
                                I'm assuming from your comments that the BASIC login causes the LoginModule to output heaps of successful login messages, and that when you change it to FORM, your LoginModule goes quiet.

                                To me this says that your login form HTML is wrong. Are you sure you have spelt the j_username and j_password field names correctly, and the j_security_check form action?

                                Adam

                                • 13. Re: Problems with FORM Authentication
                                  Don Griffing Newbie

                                  I do not get it. I added

                                  <category name="org.jboss.security">
                                   <priority value="TRACE" class="org.jboss.logging.XLevel"/>
                                   </category>
                                  
                                  to my log4j.xml as Scott Stark recommended. The FORM authentication is now working as expected. Below are snippets from the configuration file and login.jsp from the working FORM authentication.

                                  login-config.xml
                                  <application-policy name = "client-login">
                                   <authentication>
                                   <login-module code = "org.jboss.security.ClientLoginModule"
                                   flag = "required">
                                   </login-module>
                                   <login-module code = "com.fdsolutions.security.module.LoginModule"
                                   flag = "required">
                                   </login-module>
                                   </authentication>
                                   </application-policy>


                                  jboss-web.xml
                                  <jboss-web>
                                  
                                   <security-domain>java:/jaas/client-login</security-domain>
                                   <context-root>/myapp</context-root>
                                  
                                   <!-- Resource Environment References -->
                                  
                                   <!-- Resource references -->
                                  
                                   <!-- EJB References -->
                                  
                                  </jboss-web>


                                  web.xml
                                  <security-constraint>
                                   <display-name>Server Configuration Security Constraint</display-name>
                                   <web-resource-collection>
                                   <web-resource-name>Protected Area</web-resource-name>
                                   <url-pattern>*.jsp</url-pattern>
                                   <url-pattern>*.do</url-pattern>
                                   </web-resource-collection>
                                   <auth-constraint>
                                   <role-name>user</role-name>
                                   </auth-constraint>
                                   <user-data-constraint>
                                   <transport-guarantee>NONE</transport-guarantee>
                                   </user-data-constraint>
                                   </security-constraint>
                                   <login-config>
                                   <auth-method>FORM</auth-method>
                                   <realm-name>FDS</realm-name>
                                   <form-login-config>
                                   <form-login-page>/login.jsp</form-login-page>
                                   <form-error-page>/login-error.html</form-error-page>
                                   </form-login-config>
                                   </login-config>
                                   <security-role>
                                   <description>The role that is required to log in to the application</description>
                                   <role-name>user</role-name>
                                   </security-role>


                                  login.jsp
                                  <%@ page language="java" isThreadSafe="true" isErrorPage="false" %>
                                  
                                  <html locale="true">
                                   <SCRIPT language="JavaScript">
                                   <!--
                                   top.location.target = "_top"
                                   if ( window.location.target != "_top" ) {
                                   top.location.href = window.location.href
                                   }
                                   // -->
                                   </SCRIPT>
                                   <head>
                                   <title>First Degree Solutions, LLC</title>
                                   <link rel=StyleSheet href="myapp.css" type="text/css" media=screen>
                                   </head>
                                   <body>
                                   <h1>Login</h1>
                                   <br/>
                                   <center>
                                   <form method="POST" action='<%= response.encodeURL( "j_security_check" ) %>' >
                                   <table>
                                   <tr>
                                   <th>Username:</th>
                                   <td><input type="text" name="j_username" size="15"/></td>
                                   </tr>
                                   <tr>
                                   <th>Password:</th>
                                   <td><input type="password" name="j_password" size="15"/></td>
                                   </tr>
                                   <tr/>
                                   <tr>
                                   <td colspan="2" align="right">
                                   <input type="submit" value="Submit"/>
                                   </td>
                                   </tr>
                                   </table>
                                   </form>
                                   </center>
                                   </body>
                                  </html>


                                  • 14. Re: Problems with FORM Authentication
                                    ahardy66 Novice

                                    guess somebody took the pin out of their little voodoo doll of your jboss server.

                                    Actually I had some baffling experiences before I sorted out the TRACE logging.