2 Replies Latest reply on Aug 3, 2005 12:42 PM by Scott Stark

    Migrating from Weblogic to JBoss : problem with weapp auth.

    Dominique Jean-Prost Newbie

      I already posted the same message on the serlet newsgroup. I try on this too just in case.
      ***************
      I'm currently trying to migrate a webapp from weblogic8.1 to JBoss, and I'm meeting a problem I hadn't with WLS.

      My webapp has a <security-constraint> section with <auth-constraint>. I'm using Form authentication with DB Realm. My problem is that I can log in my webapp, but I get a 403 saying I'm not allowed to access ressources.

      I checked several things :
      - I can log in, ie login/password are checked against DB, so this part works. If I give a wrong password, I get <form-error-page> page.
      - I added a piece of code in my 403.jsp. I added 3 lines :
      0. System.out.println(request.getRemoteUser()); --> return djeanprost
      1. System.out.println(request.isUserInRole("collaborateur")); where collaborateur is a group of my group table. --> Return true, which is normal to me.
      2. System.out.println(request.isUserInRole("utilisateurCollaborateur")); --> false
      utilisateurCollaborateur is a role I specified in the <auth-constraint> section in the web.xml. I also have a <security-role> section where I declare the utilisateurCollaborateur role name. In my jboss-web.xml, I have a
      <security-role>
      <role-name>utilisateurCollaborateur</role-name>
      <principal-name>collaborateur</principal-name>
      <principal-name>djeanprost</principal-name>
      </security-role>

      where I map utilisateurCollaborateur to collaborateur and djeanprost. I added the principal name djeanprost to add a test : it does not work neither.

      I conclude the mapping from utilisateurCollaborateur to collaborateur is not done.

      Where am I wrong ?

      Regards,

        • 1. Re: Migrating from Weblogic to JBoss : problem with weapp au
          Dominique Jean-Prost Newbie

          I made a dump of the request.getUserPrincipal(). Here it is :

          14:53:46,846 INFO [STDOUT] <debut de org.jboss.web.tomcat.security.JBossGenericPrincipal>
          name = djeanprost
          password = null
          realm = org.jboss.web.tomcat.security.JBossSecurityMgrRealm@1a847df
          roles =
          <debut de tableau>
          EPArchitectureSI
          EPEncadrementIntermediaire
          EPPoleCompetences
          LorisIntranet
          absenteismeIntranet
          ameliorationpermanenteIntranet
          barGEDIntranet
          basedocCMECDPIntranet
          basedocCMEIntranet
          basedocGRHIntranet
          basedocPHSIntranet
          basedocPSOIntranet
          basedocQCOIntranet
          collaborateur
          collaborateurUtilisateurVersions
          declarationAbsenteismeIntranet
          dossiersStatistiquesIntranet
          ficheAbsenteisme
          intendance
          outilsCommerciaux
          outilsPedagogiquesIntranet
          utilisateurRelancesIntranet
          <fin de tableau>
          authPrincipal = djeanprost
          callerPrincipal = djeanprost
          credentials = password1
          subject = Objet :
          Principal : djeanprost
          Principal : Roles(members:absenteismeIntranet,basedocCMECDPIntranet,utilisateurRelancesIntranet,outilsCommerciaux,collaborateurUtilisateurVers
          ions,outilsPedagogiquesIntranet,ficheAbsenteisme,basedocPHSIntranet,basedocCMEIntranet,intendance,dossiersStatistiquesIntranet,EPEncadrementIntermedia
          ire,basedocGRHIntranet,basedocPSOIntranet,declarationAbsenteismeIntranet,barGEDIntranet,EPPoleCompetences,EPArchitectureSI,LorisIntranet,ameliorationp
          ermanenteIntranet,collaborateur,basedocQCOIntranet)

          userRoles =
          <debut de liste>
          absenteismeIntranet
          basedocCMECDPIntranet
          utilisateurRelancesIntranet
          outilsCommerciaux
          collaborateurUtilisateurVersions
          outilsPedagogiquesIntranet
          ficheAbsenteisme
          basedocPHSIntranet
          basedocCMEIntranet
          intendance
          dossiersStatistiquesIntranet
          EPEncadrementIntermediaire
          basedocGRHIntranet
          basedocPSOIntranet
          barGEDIntranet
          declarationAbsenteismeIntranet
          EPPoleCompetences
          EPArchitectureSI
          LorisIntranet
          ameliorationpermanenteIntranet
          basedocQCOIntranet
          collaborateur
          <fin de liste>
          <fin de org.jboss.web.tomcat.security.JBossGenericPrincipal>


          You can see that my principal doesn't have the role utilisateurCollaborateur although I specified role-mapping with jboss-web.xml which is below :
          <jboss-web>
          <security-domain>java:/jaas/djp</security-domain>
          <context-root>accueil</context-root>
          <security-role>
          <role-name>utilisateurCollaborateur</role-name>
          <principal-name>collaborateur</principal-name>
          </security-role>
          </jboss-web>

          Here is my web.xml (a subset)
          <web-app>

          <servlet-name>mainServlet</servlet-name>
          <servlet-class>com.dexia.common.gui.WebServlet</servlet-class>
          <init-param>
          <param-name>webAppClassName</param-name>
          <param-value>com.dexia.sofaxis.accueil.gui.AccueilGUI</param-value>
          </init-param>

          <servlet-mapping>
          ...
          </servlet-mapping>
          <security-constraint>
          <web-resource-collection>
          <web-resource-name>protected</web-resource-name>
          <url-pattern>/services</url-pattern>
          <url-pattern>/main.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
          <role-name>utilisateurCollaborateur</role-name>
          </auth-constraint>
          </security-constraint>
          <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
          <form-login-page>/connexion.jsp</form-login-page>
          <form-error-page>/echecConnexion.jsp</form-error-page>
          </form-login-config>
          </login-config>

          <security-role>
          <role-name>utilisateurCollaborateur</role-name>
          </security-role>


          ...

          Does anyone has a clue ?