I am trying to set up simple form-based authentication using a database. I am initially trying to secure all web resources, since my application accesses the EJBs via servlets (and is working fine without security). Later I will tighten things down so that the EJB's business methods will also have security in place.
It seems that everything is in place but I am unable to authenticate a user when I use a valid login/password combination (I am being redirected to the login error page). No exceptions appear in the JBoss console, and the database tables appear to be populated with proper values. Hopefully someone reading this can give me a clue as to what is going wrong.
Here is what I have done so far:
1) I have two tables in my database, one for the user_name and password, and another for roles. The database tables look like this:
table name: principals
column: principal_id VARCHAR(64) primary key
column: password VARCHAR(64)
table name: roles
column: principal_id VARCHAR(64)
column: user_role VARCHAR(64)
column: role_group VARCHAR(64)
2) I have added an entry in $JBOSS/server/default/conf/login-config.xml to declare an application policy which uses a DatabaseServerLoginModule. In this entry I have specified the SQl to be used by the module for selecting the password and role, following the example in the JBoss Getting Started Guide (p. 57):
... <!-- added for HIM Server security --> <application-policy name="HIM-client-login"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/OracleDS</module-option> <module-option name="principalsQuery">select password from principals where principal_id=?</module-option> <module-option name="principalsQuery">select user_role, role_group from roles where principal_id=?</module-option> </login-module> </authentication> </application-policy> ...
3) I have added a security domain entry in the jboss-web.xml file:
... <!-- All secure web resources will use this security domain --> <security-domain>java:/jaas/HIM-client-login</security-domain> ...
4) I have declared a security constraint in the web.xml file:
... <!-- security configuration --> <security-constraint> <display-name>Server Configuration Security Constraint</display-name> <!-- the collection of resources to which the sucurity constraint applies --> <web-resource-collection> <web-resource-name>Secure Resources</web-resource-name> <description>Security constraint for all resources</description> <!-- the pattern that this constraint applies to --> <url-pattern>/*</url-pattern> <!-- the HTTP methods that this constraint applies to --> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <!-- the user roles that should be permitted access to this resource collection --> <auth-constraint> <description>Only allow those users that are in the following role</description> <role-name>user</role-name> </auth-constraint> <!-- declare a transport guarantee, if any --> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> ...
5) I have a simple login form (LoginForm.jsp) which encodes j_security_check:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>HIM Client Login</title> </head> <body> <form method="POST" action='<%= response.encodeURL( "j_security_check" ) %>'> Username: <input type="text" name="j_username"><br/> Password: <input type="password" name="j_password"><br/> <br/> <input type="submit" value="Login"> <input type="reset" value="Reset"> </form> </body> </html>
Can anyone see from the above that I have missed something, or that I have done something wrong ?
Is there a way to get more information ? All I see in the access log file are logs of the requests for the servlet, j_security_check, and the login and error pages, and it might be helpful to have a little more information as to what is going on.
Thanks in advance for any insight.