5 Replies Latest reply on Mar 1, 2005 10:43 AM by Gyounghwa Kim

    how to test form-based security using jaas, mysql set up

    Gyounghwa Kim Newbie

      Hi.

      I'm a beginner at jboss, so I'm struggling with setting up the server.
      I developed web ( jsp, servlet ) and ejb ( session bean ) and it works fine
      without any security. So now I'm trying to add form-based security to my application.

      I've read jboss documentation chapter8 and modified web.xml, jboss-web.xml, ejb-jar.xml, jboss.xml, login-config.xml. However, I don't know if it works or not. How do I test if it works or not?

      Also, which part is really required for the security to work?

      Is there any good example or tutorial about this ?

      I really appreciate the help in advance.

        • 1. Re: how to test form-based security using jaas, mysql set up
          Ricardo Arguello Newbie

          You need to add a login page for your web application:
          http://www.onjava.com/pub/a/onjava/2002/06/12/form.html

          Note that the Realm references don't apply. You need to configure JAAS instead.

          Ricardo

          • 2. Re: how to test form-based security using jaas, mysql set up
            Gyounghwa Kim Newbie

            I had login.html with







            and my application deployed.

            However, if I tried to login, it shows
            http://localhost:8080/projectname/j_security_check on the url and
            doesn't do anything.

            What am I missing here ?

            Also, I thought I configured JAAS using jboss documentation, but I'm not sure if I did it correctly. What do I have to do except modifying web.xml, ejb-jar.xml, jboss.xml, jboss-web.xml, login-config.xml ?

            Another question. Does role-name has to be exactly the same as the result from rolesQuery in login-config.xml ?

            I really appreciate the help.
            Thank you



            My login-config.xml under jboss/server/default/conf looks like the following.

            <application-policy name = "projectname">

            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
            flag="required">
            <module-option name="dsJndiName">java:/MySqlDS</module-option>
            <module-option name="principalsQuery">
            select password from employees where username=?
            </module-option>
            <!-- second column of the following query has to be 'Roles' -->
            <module-option name="rolesQuery">
            select management, 'Roles' from employees where username=?
            </module-option>

            <module-option name="hashAlgorithm">MD5</module-option>
            <module-option name="hashEncoding">base64</module-option>

            </login-module>

            </application-policy>

            And I have only one line

            <security-domain>java:/jaas/project</security-domain>

            in jboss.xml and jboss-web.xml.

            Also, in my web.xml I have the following.

            <security-constraint>
            <web-resource-collection>
            <web-resource-name>secure content</web-resource-name>
            Declarative security test
            <url-pattern>/*</url-pattern>
            <http-method>POST</http-method>
            </web-resource-collection>

            <auth-constraint>
            <role-name>supervisor</role-name>
            </auth-constraint>

            <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
            </security-constraint>

            <security-role>
            The role required to access restricted content
            <role-name>supervisor</role-name>
            </security-role>

            <!-- ... -->
            <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>The Restricted Zone</realm-name>
            <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
            </form-login-config>
            </login-config>


            Do I have to put <ejb-ref> here ? I didn't think so.

            Also in my ejb-jar.xml, I have the following.


            <ejb-name>Supervisor</ejb-name>
            <local-home>ejb.session.SupervisorLocalHome</local-home>
            ejb.session.SupervisorLocal
            ejb.session.SupervisorRemoteHome
            ejb.session.SupervisorRemote
            <ejb-class>ejb.session.Supervisor</ejb-class>
            <session-type>Stateless</session-type>
            <transaction-type>Container</transaction-type>

            <ejb-local-ref>
            <ejb-ref-name>Employees</ejb-ref-name>
            <ejb-ref-type>Entity</ejb-ref-type>
            <local-home>ejb.employee.EmployeeLocalHome</local-home>
            ejb.employee.EmployeeLocal
            <ejb-link>Employees</ejb-link>
            </ejb-local-ref>

            <security-identity>
            <run-as>
            <role-name>supervisor</role-name>
            </run-as>
            </security-identity>

            <security-role-ref>
            <role-name>SupervisorRole</role-name>
            <role-link>supervisor</role-link>
            </security-role-ref>


            <assembly-descriptor>

            <!-- declare logical roles -->
            <security-role>

            This role represents everyone who is allowed access
            to the Employee EJB.

            <role-name>employee</role-name>
            </security-role>

            <security-role>

            This role represents supervisor who is allowed full accessto all the EJBs.

            <role-name>supervisor</role-name>
            </security-role>

            <method-permission>
            <role-name>supervisor</role-name>

            <ejb-name>Employees</ejb-name>
            <method-name>*</method-name>

            </method-permission>

            <method-permission>
            <role-name>supervisor</role-name>

            <ejb-name>Supervisor</ejb-name>
            <method-name>*</method-name>

            </method-permission>

            <container-transaction>

            <ejb-name>Employees</ejb-name>
            <method-name>*</method-name>

            <trans-attribute>Required</trans-attribute>
            </container-transaction>

            </assembly-descriptor>

            • 5. Re: how to test form-based security using jaas, mysql set up
              Gyounghwa Kim Newbie

              Thank you for all the help. I made it work.