2 Replies Latest reply on Jun 22, 2004 2:02 AM by Mathew Blackberry

    Webapp Always Allows Access Using Basic Authentication

    Mathew Blackberry Newbie

      Hi my problem is that no matter what username password combo I enter in my login box (BASIC authentication) I am always granted access to the restricted resources.

      my jboss-web.xml is as follows

      <jboss-web>
      <security-domain>java:/jaas/webcreator</security-domain>
      </jboss-web>

      my web.xml is as follows

      ...
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>SecuredPages</web-resource-name>
      bla bla bla
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>power</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
      </login-config>

      <security-role>
      <role-name>power</role-name>
      </security-role>
      ...

      login-conf.xml is as follows

      ...


      <application-policy name = "webcreator">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "dsJndiName">java:/mysqlDS</module-option>
      <module-option name = "principalsQuery">select password from users where username=?</module-option>
      <module-option name = "rolesQuery">select role 'Role', "Roles" as RoleGroup from access where username=?</module-option>
      </login-module>

      </application-policy>

      ...

      by changing the above details for securing jmx-console works fine and only the appropriate users have access, so I don't think there is a problem with the DatabasServerLoginModule in login-config.xml.

      Can anybody help with why it always lets me in, in my webapp.

      Is there anything else that is required other that jboss-web.xml, web.xml and login-config.xml

      thanks
      Mat