3 Replies Latest reply on Nov 8, 2004 12:39 PM by Scott Stark

    <role-name> from web.xml && <module-option name="rolesProper

    lio oil Newbie

      Hello world,

      Sorry if this question has already been posted here, but i'm quite new
      in JBoss, so feel free to forward me to the relevant thread if necessary.

      I'm buiding a webapp where users can be distinguished by they role.
      I needed to respect JAAS, so 've defined this roles in myWebApp-roles.properties through my login-config-xml.

      To protect some features of my app, i want an URL control list. That's i intend to do in my web.xml

      The Authentication seems to be allright : i get my subjecvt and my principals ( Roles(members:BasicUser) ).

      But i don't have acces to my url :
      "GET /myWebApp/action/menuView HTTP/1.1" 302 -

      It seems like if the role wasn't shared between my webapp and JBoss?

      What's wrong ? What did i forget ?

      Please help,

      web.xml :
      -----------
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>MyWebAppActions</web-resource-name>
      MyWebApp actions mappings
      <url-pattern>/action/menuView</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>BasicUser</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      login-config.xml :
      -------------------
      <application-policy name="myWebApp">

      <login-module code="org.jboss.security.ClientLoginModule" flag="required">
      </login-module>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="unauthenticatedIdentity">
      myAppGuest
      </module-option>
      <module-option name="usersProperties">
      myWebApp-users.properties
      </module-option>
      <module-option name="rolesProperties">
      myWebApp-roles.properties
      </module-option>
      </login-module>

      </application-policy>

      myWebApp-roles.properties :
      ----------------------------------
      MyUser=BasicUser

        • 1. Re: <role-name> from web.xml && <module-option name=
          Scott Stark Master

          A 302 return code is a temporary redirect. This is used when using form authentication to redirect you to the login form.

          • 2. Re: <role-name> from web.xml && <module-option name=
            lio oil Newbie


            I understand that's a redirect redirect because it has been coded in this way in the web.xml file :

            <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
            <form-login-page>/action/authenticationView</form-login-page>
            <form-error-page>/action/authenticationProcess</form-error-page>
            </form-login-config>
            </login-config>

            Dynamicly, i can see the process authentication that succeeds :

            1 - /action/authenticationProcess identifies properly the client
            i.e, my loginContext works well : i get my subject and my principals

            2 - /action/authenticationProcess tries a forward to action/menuView

            3 - this forward is rejected (our 302 redirect) because this URL is a protected resource (my <security-constraint>)

            Maybe the relevant question is how can i map the <role-name> with one of the principals i get from my loginContext ?

            • 3. Re: <role-name> from web.xml && <module-option name=
              Scott Stark Master

              A redirect only occurs for authentication failures, not authorization. You map the roles to a user using the roles.properties file as discussed in the JAAS Howto in this forum.