1 Reply Latest reply on Sep 9, 2005 8:02 PM by dbostwick

    DatabaseServerLoginModule/j_security_check redirection probl

    dbostwick Newbie

      1) I'm porting a MyFaces 1.0.9 application from Tomcat 5.0.28 to JBoss 4.0.2.

      2) In the Tomcat app, I secure the app using the <url-pattern>/*</url-pattern> in my web.xml, where I've also defined FORM-based security, login/login error pages, and a 403 error page. Everything works fine on Tomcat. The login page pops up when I access the app, and after login, I'm forwarded to the correct target page.

      The expected flow is:
      Enter address: http://localhost:8080/
      ---> intercepted by Tomcat and fowarded to ---> /login.jsp
      ---> j_security_check succeeds forwarded to --->
      http://localhost:8080/index.jsp

      3) When moving to JBoss, I added:
      A) A data source for the user/roles tables in the $JBOSS_HOME/server/default/deploy/datasources directory. The DS name is "alphaDS." This works fine.

      B) A <realm-name>alphaRealm</realm-name> to my web.xml in the FORM-based security section. Ex:
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>alphaRealm</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login_error.jsp</form-error-page>
      </form-login-config>
      </login-config>

      C) A jboss-web.xml file containing:
      <jboss-web>
      <security-domain>java:/jaas/alphaRealm</security-domain>
      <context-root>/</context-root>
      <resource-ref>
      <res-ref-name>jdbc/alphaDS</res-ref-name>
      <jndi-name>java:jdbc/alphaDS</jndi-name>
      </resource-ref>
      </jboss-web>

      **Note, the context path is set to /. I have deleted the ROOT.war file from the Tomcat sar.

      D) And added an alphaRealm element to the $JBOSS_HOME/server/default/conf/login-config.xml file as follows:

      <application-policy name="alphaRealm">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name = "dsJndiName">java:jdbc/alphaDS</module-option>
      <module-option name = "principalsQuery">
      select user_password from Users where user_login=?
      </module-option>
      <module-option name = "rolesQuery">
      select r.role_name, 'Roles' from Roles r join UsersRoles ur on r.role_id=ur.role_id join Users u on ur.user_id=u.user_id and u.user_login=?
      </module-option>
      </login-module>

      </application-policy>

      In JBoss, the login page pops up as expected when I access the app (via http://localhost:8080/), and the login is getting processed correctly (verified with logins having various roles). But after the login completes I am forwarded to someplace where I get the following error message: "The requested resource (/favicon.ico) is not available." The only place I've found a reference to "favicon.ico" in the whole JBoss installation (and its nowhere in my app) is in $JBOSS_HOME/server/default/deploy/lib/license.html. I even tried renaming license.html to license.txt just to see if it would be bypassed, but to no avail.

      In addition to this, I've also been redirected to other places, such as directly to a background gif image in my application. The net/net is that redirection to the orginially-requested page after login does not seem to be concrete or predictable with this setup.

      What am I doing wrong? I expected redirection to the original page requested, but this isn't happening. Even if I attempt a direct selection of index.jsp via http://localhost:8080/index.jsp before authenticiation I get the same problem. If, after authentication, I attempt to access the original page I get it of course because now I'm authenticated.

      Why am I not forwarded correctly after successful login? How do I ensure that the original page requested is the one fetched after authentication?

      Thanks in advance for any clues passed this way - dB

        • 1. Re: DatabaseServerLoginModule/j_security_check redirection p
          dbostwick Newbie

          D'OH!! This was really dumb.

          The problem seems to stem from an ambiguity introduced by the general URL (http://localhost:8080) that I used to start the app.

          My doc root contains only index.jsp, login.jsp, login_error.jsp, and 403.html, then subdirectories for the other things.

          I resolved the problem by specifying a redirect url (<c:redirect ...) in the index.jsp to a secure directory other than /.

          Here's what I found out:

          1) I made the assumption that the jsp container would resolve the redirect page to one of the files in my web.xml's welcome file list, which in this case contained index.html, index.jsp, and index.jsf. My docroot only contained index.jsp (under some circumstances, even index.jsp and index.jsp are ambiguous). WRONG.

          2) I decided to test my assumption by restricting the welcome file list in various permutations between my web.xml and the jbossweb-tomcat55.sar/conf/web.xml. In all cases, I got the same results - a directory listing.

          Conclusion:

          The jsp container needs to have the j_security_check redirect target given to it either directly in the URL, or indirectly via a redirect URL injected into the pipeline.

          The jsp container does not care about the welcome file list when resolving redirect targets for j_security_check. If it did, it would be injecting potential ambiguities into your application, and we have enough sleepless nights - eh?

          Hope this helps someone out there - dB