6 Replies Latest reply on Jul 28, 2004 7:29 PM by Diwakar

    Authentication does not work after migrating from jboss-3.0.

    Diwakar Newbie

      Hi,

      We just migrated from jboss 3.0.8/jetty to jboss 3.2.3/tomcat 5.0. We were using the DatabaseServerLoginModule for authentication in jboss 3.0.8 and everything used to work fine. After migrating to jboss 3.2.3 according to the user guide, we are redirected to the login page when we try to access a page that should be protected, but we can enter in anything for the j_username and j_password and we will be allowed to access the protected pages.

      Any help will be appriciated.

      Thank you,
      Diwakar.

        • 1. Re: Authentication does not work after migrating from jboss-
          auckyboy Newbie

          How were you protecting the pages in Jetty 3.0.8 ? Please elaborate further.

          • 2. Re: Authentication does not work after migrating from jboss-
            Diwakar Newbie

            Thanks for responding. :)

            Here are the files that should be relevant from our 3.2 (both .3 and .5) config - the login-config.xml is the same as what ships with jboss, plus our application-policy, shown below. Obviously, we've had to sanitize some things - the example.com stuff isn't real.

            Experiments we have run:
            - misspelled the "login-module" in login-config.xml tag; this caused jboss to complain, so we know it's at least parsing the file.
            - misspelled something in web.xml to similar effect.
            - removed the existing security-roles from the auth-constraint in the security-contraint for /* and added a security-role that didn't exist; no change in behavior - we get the login page before going to any protected page, but any user name lets us through.

            Is there any other info that might be of use?

            Thanks,
            Diwakar

            ### web.xml - same for 3.0.8 and 3.2.3 ###
            
            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE web-app PUBLIC
             "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
             "http://java.sun.com/dtd/web-app_2_3.dtd">
            
            <web-app>
            <!-- ### Servlets -->
             <servlet>
             <servlet-name>ExampleServlet</servlet-name>
             <servlet-class>com.example.ExampleServlet</servlet-class>
             </servlet>
            
            <!-- ### Servlet Mappings -->
             <servlet-mapping>
             <servlet-name>ExampleServlet</servlet-name>
             <url-pattern>/ExampleServlet</url-pattern>
             </servlet-mapping>
            
             <session-config>
             <session-timeout>30</session-timeout>
             </session-config>
            
            <!-- The Welcome File List -->
            
             <welcome-file-list>
             <welcome-file>index.jsp</welcome-file>
             </welcome-file-list>
            
             <error-page>
             <error-code>403</error-code>
             <location>/AccessDenied.jsp</location>
             </error-page>
            
             <error-page>
             <error-code>404</error-code>
             <location>/AccessDenied.jsp</location>
             </error-page>
            
             <security-constraint>
             <web-resource-collection>
             <web-resource-name>Login</web-resource-name>
             <url-pattern>/*</url-pattern>
             </web-resource-collection>
             <auth-constraint>
             <role-name>Admin</role-name>
             <role-name>Operator</role-name>
             </auth-constraint>
             <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
             </user-data-constraint>
             </security-constraint>
            
             <security-constraint>
             <web-resource-collection>
             <web-resource-name>Admin</web-resource-name>
             <url-pattern>/Admin/*</url-pattern>
             </web-resource-collection>
             <auth-constraint>
             <role-name>Admin</role-name>
             </auth-constraint>
             </security-constraint>
            
             <login-config>
             <auth-method>FORM</auth-method>
             <realm-name>example-login</realm-name>
             <form-login-config>
             <form-login-page>/login.jsp</form-login-page>
             <form-error-page>/loginError.jsp</form-error-page>
             </form-login-config>
             </login-config>
            
             <security-role>
             <role-name>Admin</role-name>
             </security-role>
            
             <security-role>
             <role-name>Operator</role-name>
             </security-role>
            
             <ejb-ref>
             <ejb-ref-name>DbExampleBean</ejb-ref-name>
             <ejb-ref-type>Session</ejb-ref-type>
             <home>DbExampleRemoteHome</home>
             <remote>DbExampleRemote</remote>
             </ejb-ref>
            
            </web-app>
            
            
            
            ### jboss-web.xml - same for 3.0.8 and 3.2.3 ###
            
            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE jboss-web
             PUBLIC "-//JBoss//DTD Web Application 2.3//EN"
             "http://www.jboss.org/j2ee/dtds/jboss-web_3_0.dtd">
            
            <jboss-web>
            
             <security-domain>java:/jaas/example-login</security-domain>
            
             <ejb-ref>
             <ejb-ref-name>DbExampleBean</ejb-ref-name>
             <jndi-name>ejb/DbExampleBean</jndi-name>
             </ejb-ref>
            </jboss-web>
            
            
            
            ### login-config.xml ###
            
            <?xml version='1.0'?>
            <!DOCTYPE policy PUBLIC
             "-//JBoss//DTD JBOSS Security Config 3.0//EN"
             "http://www.jboss.org/j2ee/dtd/security_config.dtd">
            
            <policy>
             <!-- Used by clients within the application server VM such as
             mbeans and servlets that access EJBs.
             -->
            
             <!-- This is our login module -->
             <application-policy name = "example-login">
             <authentication>
             <login-module
            code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
            flag = "required">
             <module-option name = "dsJndiName">java:/OracleDS</module-option>
             <module-option name = "principalsQuery">
             SELECT table_user.login_password FROM table_user
            WHERE table_user.status = 1 and table_user.login_name = ?
             </module-option>
             <module-option name = "rolesQuery">
             SELECT table_user_role.role_name, 'Roles' RoleGroup
            FROM table_user, table_user2user_role, table_user_role
            WHERE table_user.status = 1
            and table_user.user_id = table_user2user_role.user_id
            and table_user_role.role_id = table_user2user_role.role_id
            and table_user.login_name = ?
             </module-option>
             </login-module>
             </authentication>
             </application-policy>
            
            
             <!-- more application-policy tags follow, not shown
             <application-policy name = "...">
             ...
             </application-policy>
             -->
            </policy>
            
            


            • 3. Re: Authentication does not work after migrating from jboss-
              auckyboy Newbie

              The config files seem ok. A similar post couple of months ago.

              http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=63&t=000626

              Top of my head it seems that

              <context-root>/</context-root> is missing in jboss-web.xml

              HTH

              If that is fine then it sems that loginError.jsp and login.jsp might be same :-)

              • 4. Re: Authentication does not work after migrating from jboss-
                Diwakar Newbie

                Thank you for responding.

                I added contexxt-root tag to my jboss-web.xml. Still it does not seem to work. I even tried changing the log level to TRACE as explained in the posting, no luck.

                Am i doing something wrong in login-config.xml.

                I really appriciated any help.

                Thankyou,
                Diwakar.

                • 5. Re: Authentication does not work after migrating from jboss-
                  Scott Stark Master

                  Show output from the trace level logging regarding the org.jboss.security category. The context-root is not required in jboss-web.xml.

                  • 6. Re: Authentication does not work after migrating from jboss-
                    Diwakar Newbie

                    Its working now. Problem was with our build.xml. All the files are OK but build.xml who not copying jboss-web.xml into the war file.

                    Thank you for everyone who responded. I appriciated it.


                    Diwakar.