0 Replies Latest reply on Oct 31, 2004 12:04 AM by Glen

    Principal=null after a successful JDBC login and following h

    Glen Newbie

      Any ideas? I've looked at other posts regarding this same issue and have not been able to solve the problem that the subject and principals are not retained between http requests. In JSP's (or other code - Struts application), a call to request.getUserPrincipal() returns null after a successful login and subsequent requests using the DatabaseServerLoginModule configuration. The login.jsp page is always presented if a restricted page is accessed - even after authentication is passed. If I change web.xml to use BASIC instead of FORM based for authentication, the problem goes away - principals are retained between requests and the login.jsp page is only presented once. In trying to narrow down the problem, it seems that when using DatabaseServerLoginModule for authentication, the credentials are not automatically propagated. I have set up my JBoss 3.2.6 environment like the post:
      http://www.javaworld.com/javaforums/showflat.php?Cat=2&Board=JavaSecurity&Number=2500&page=0&view=collapsed&sb=5&o=&fpart=1
      The environment consists of WinXP and MySQL:

      login-config.xml:

      ...
       <application-policy name="mcApp">
       <authentication>
       <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="dsJndiName">java:/MySqlDS</module-option>
       <module-option name="principalsQuery">select password from n_user where user_id=?</module-option>
       <module-option name="rolesQuery">select role 'Roles', RoleGroup 'RoleGroup' from user_roles where user_id=?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      ...
      

      jboss-web.xml:
      <jboss-web>
       <security-domain>java:/jaas/mcApp</security-domain>
      </jboss-web>
      

      web.xml:
      ...
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>admin</web-resource-name>
       <description>Administration Profile</description>
       <url-pattern>/restricted/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>Administration</description>
       <role-name>AdminRole</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>mcApp</realm-name>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/badlogin.jsp</form-error-page>
       </form-login-config>
       </login-config>
      <!--
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>mcApp</realm-name>
       </login-config>
      -->
       <security-role>
       <description>Administration</description>
       <role-name>AdminRole</role-name>
       </security-role>
      ...
      

      LoginAction.java:
      ...
       try {
       SecurityAssociationHandler handler = new SecurityAssociationHandler();
       SimplePrincipal user = new SimplePrincipal(j_username);
       handler.setSecurityInfo(user, new String(j_password));
       LoginContext loginContext = new LoginContext("mcApp", (CallbackHandler)handler);
       loginContext.login();
       Subject subject = loginContext.getSubject();
       Set principals = subject.getPrincipals();
      System.out.println("-> LoginAction: Principals:" + principals.toString());
       }
       catch(LoginException e) {
       e.printStackTrace();
       errors.add(ActionErrors.GLOBAL_ERROR, new ActionError("Wrong Username or Password"));
       saveErrors(request, errors);
       return (mapping.getInputForward());
       }
      ...