4 Replies Latest reply on Sep 30, 2005 8:32 AM by Michael Small

    403 Access Denied instead of redirect to login page ...

    Michael Small Newbie

      I'm testing out container managed authentication/authorization in JBoss (4.0.3RC2) and I have run into a problem. When I attempt to access a secured resource, instead of the container redirecting to the specified login page for authentication, it simply displays a 403 Access Denied error (I don't have a custom 403 error page).

      Below are the specifics of my application:

      My directory structure:

      index.jsp
      main.jsp
      login.jsp
      login-error.jsp
      secure/
       secure1.jsp
      WEB-INF/
       web.xml
       jboss-web.xml
       classes/
       lib/
      


      My web.xml:
      <web-app>
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Secured</web-resource-name>
       <url-pattern>/secure/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>test-jaas</realm-name>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/login-error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      
      </web-app>
      


      My jboss-web.xml:
      <jboss-web>
       <security-domain>java:/jaas/test-jaas</security-domain>
      </jboss-web>
      


      My login-config.xml:
      <policy>
       <application-policy name="test-jaas">
       <authentication>
       <login-module
       code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="dsJndiName">java:TestJaasDS</module-option>
       <module-option name="principalsQuery">SELECT pin FROM user WHERE username = ?</module-option>
       <module-option name="rolesQuery">SELECT ur.role, 'Roles' FROM user_role ur LEFT OUTER JOIN user u ON ur.fk_user = u.ikey WHERE u.username = ?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      </policy>
      


      My login-service.xml:
      <server>
       <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
       name="tasconline:service=DynamicLoginConfig">
       <attribute name="AuthConfig">login-config.xml</attribute>
       <depends optional-attribute-name="LoginConfigService">
       jboss.security:service=XMLLoginConfig
       </depends>
       <depends optional-attribute-name="SecurityManagerService">
       jboss.security:service=JaasSecurityManager
       </depends>
       </mbean>
      </server>
      


      My application.xml:
      <application>
      
       <display-name>test-jaas</display-name>
      
       <module>
       <web>
       <web-uri>test-jaas.war</web-uri>
       <context-root>/test-jaas</context-root>
       </web>
       </module>
      
      </application>
      


      My jboss-app.xml:
      <jboss-app>
       <module>
       <service>test-jaas-ds.xml</service>
       </module>
       <module>
       <service>login-service.xml</service>
       </module>
      </jboss-app>
      


      Specifically, this error occurs when I attempt to access the http://localhost:8080/test-jaas/secure/secure1.jsp. Any ideas?

        • 1. Re: 403 Access Denied instead of redirect to login page ...
          Michael Small Newbie

          Here's is what I'm finding the in server.log:

          2005-09-27 17:45:35,154 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /test-jaas/secure/secure1.jsp
          2005-09-27 17:45:35,155 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secured]' against GET /secure/secure1.jsp --> true
          2005-09-27 17:45:35,155 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secured]' against GET /secure/secure1.jsp --> true
          2005-09-27 17:45:35,155 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
          2005-09-27 17:45:35,164 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission /secure/secure1.jsp GET)
          2005-09-27 17:45:35,166 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] Denied: (javax.security.jacc.WebUserDataPermission /secure/secure1.jsp GET)
          


          It appears that the configured JAAS authentication (thru the DatabaseServerLoginModule) is never being called. Am I reading the log correctly?



          • 2. Re: 403 Access Denied instead of redirect to login page ...
            Michael Small Newbie

            I deployed the same EAR in JBoss 4.0.2 (using the all configuration) and still receive the same results. This is leading me to believe that the problem is my EAR ... I just don't know where.

            • 3. Re: 403 Access Denied instead of redirect to login page ...
              Aaron Novice

              You can get more information in your log file if you set org.jboss.security to Debug.

              Go to your JMX-Console, and find the system mbean. You'll see your log4j logging service/type. One of those methods allows you to change the logging level.

              Place "org.jboss.security" as the first parameter, and DEBUG as the second parameter.

              Or, you can modify the log4j.xml file.

              • 4. Re: 403 Access Denied instead of redirect to login page ...
                Michael Small Newbie

                Thanks. I found the error eventually. I didn't include an 'auth-contraint' element in my 'security-contraint' element. I was under the impression that if I only needed authentication for a specified resource (i.e. all roles had access to the resource), I did not need an 'auth-contraint' ... bad assumption.