6 Replies Latest reply on Jan 21, 2011 9:21 AM by Jaroslav Cibulka

    JAAS : Form Based Authentication Problem

    Hariharasudhan T Newbie

      Hi I am developing a simple authentication application to know about the JAAS implementation in JBoss using the DatabaseServerLoginModule. My flow goes like this.

      Iam having the following tables in Oracle
      CREATE TABLE Users(username VARCHAR(64) PRIMARY KEY, passwd VARCHAR(64))
      CREATE TABLE UserRoles(username VARCHAR(64), userRoles VARCHAR(32))

      Sample values
      ==========
      INSERT INTO Users VALUES(?j2ee?,?j2ee?)
      INSERT INTO UserRoles VALUES(?j2ee?,?j2ee?)

      I have created an XA Datasource for Oracle in JBoss 4.0.1.

      My other configurations and code goes like this

      login-config.xml
      ===========
      <application-policy name = "jbossmq">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "dsJndiName">jdbc/OracleDS</module-option>
      <module-option name="principalsQuery"> select passwd from Users where username=? </module-option>
      <module-option name="rolesQuery"> select userRoles,'Roles' from UserRoles where username=? </module-option>

      </login-module>

      </application-policy>

      jboss-web.xml
      ==========
      <jboss-web>
      <security-domain>java:/jaas/jbossmq</security-domain>
      </jboss-web>

      web.xml
      ======
      <web-app>
      <welcome-file-list>
      <welcome-file>home.jsp</welcome-file>
      </welcome-file-list>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Html</web-resource-name>
      An example security config
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>j2ee</role-name>
      </auth-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>jbossmq</realm-name>
      <form-login-config>
      <form-login-page>/logon.jsp</form-login-page>
      <form-error-page>/logon.jsp?errors=true</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      <role-name>j2ee</role-name>
      </security-role>
      </web-app>

      logon.jsp
      ======
      I use a JSP where i have two text fields j_username and j_password and map the form action to "j_security_check" as specified by SUN.

      I assume that <form-login-page>/logon.jsp</form-login-page> will override loading the pages in the <welcome-file-list> and upon successful authentication the first page in the <welcome-file-list> is fetched.

      When I access this application from my browser i get the logon.jsp to enter the user name and password. Here when i give an invalid username and password it takes me to the error page i have configured in web.xml. But when i give a valid username and password, my browser reports

      HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser

      I am getting this error both with Mozilla Firefox and Internet Explorer. So i assume that it might not be any browser issue.

      I am not getting any error messages in my JBoss console as well. Please tell me what could be the case for this. Thank you!

      - Hari