5 Replies Latest reply on Oct 23, 2005 3:13 AM by Wiley Snyder

    simple example help ?

    Wiley Snyder Newbie

      Hello ~ I'm using Jboss 3-2-6 ...
      I've been through the "Integrate security infrastructures with JBossSX" and forums and websites ... JAAS on sun

      I've got this in my login-config.xml

      <application-policy name = "myREALM">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="dsJndiName">java:/DefaultDS</module-option>
       <module-option name="principalsQuery">
       select passwd from USER where login=?
       </module-option>
       <module-option name="rolesQuery">
       select role, 'Roles' from USER_ROLES where login=?
       </module-option>
      
       </login-module>
       </authentication>
       </application-policy>
      


      this in my jboss-web.xml
      <security-domain>java:/jaas/myREALM</security-domain>
      


      When I goto http://localhost:8080/myREALM/loginForm.jsp
      and login I get the dreaded ...
      type Status report
      
      message /myREALM/j_security_check
      
      description The requested resource (/myREALM/j_security_check) is not available.
      


      My question is where can I configure or where am I missing or how to enable j_security_check ?

      Obviously not getting something...please fill me in for just a very simple example

      thanks...


        • 1. Re: simple example help ?
          Jeff Newbie

          Check the following..

          That the JNDI name DefaultDS matches the one in your DS file.
          e.g. mySql_ds.xml in your deploy directory

          Dont go to...

          When I goto http://localhost:8080/myREALM/loginForm.jsp

          Go to...

          When I goto http://localhost:8080/myREALM/

          Your web.xml contains the name of the page login.jsp
          once its authenticates you, you will be automatically redirected to the page in you welcome setting. e.g. index.html

          Also check that you have some user/password information in your tables.

          See my post for a list of all the steps you need to take.

          http://www.jboss.com/index.html?module=bb&op=viewtopic&t=71151

          • 2. Re: simple example help ?
            net4t net4t Newbie

            Hi.

            The first step is therefore to create a login page, containing a form like this:

            " <..form action="j_security_check" method="post">
            Username: < input type="text" name="j_username" size="22"/>
            Password: < input type="password" name="j_password" size="22"/>
            < input type="submit" value="Login" />
            --- form >"

            The username and password will be intercepted by the JBoss SecurityInterceptor and passed to the JAASSecurityManager class as Principal and Credential objects. It is worth noting here that if a user bookmarks a login page, or uses the browser back button to reach the page, they will see an error. This is a feature of the Tomcat implementation of the j_security_check mechanism. The next step is to set up the web.xml file as follows:
            ...................
            ..............
            <security-constraint>
            <web-resource-collection>
            <web-resource-name>Sample Application</web-resource-name>
            Require users to authenticate
            <url-pattern>*.jsp</url-pattern>
            <http-method>POST</http-method>
            <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
            Only allow Authenticated_users role
            <role-name>Authenticated_users</role-name>
            </auth-constraint>
            <user-data-constraint>
            Encryption is not required for the application in general.

            <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
            </security-constraint>
            <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/login_error.html</form-error-page>
            </form-login-config>
            </login-config>
            ..............
            .............

            Next, the login-config.xml file must be set up to specify that this security domain requires a certain set of LoginModules:

            <application-policy name="sample_web_client_security">
            <login-module code="org.jboss.security.ClientLoginModule"
            flag="required"/>
            <login-module code="com.sample.security.GenericJbossLoginModule"
            flag="required"/>

            </application-policy>
            U can specify your module name hear.

            ........... now u can get the login user role in jsp like this..




            <%if(request.isUserInRole("Member_admin")){%>
            <%-- admin users have access to protected methods --%>
            List Users
            Secure method

            <%} else{%>
            <%-- non-admins are only allowed to list users - if a user
            attempts to submit to ...SampleServlet?method=secure, the EJB
            method will not be accessible --%>
            List Users
            <%}%>


            .....................
            j_security_check is use your loginmoudle and authenticate the user.

            for more information :- http://www.developer.com/security/article.php/3077421

            thx
            itcube.ians

            • 3. Re: simple example help ?
              Wiley Snyder Newbie

              Hello, thanks for the info....

              I used your example but I'm not understanding why you don't have the realm here... "members" in my case and I put this in the login-config ... but I don't see how it can see it with this .... its still looking for a properties file when I'm using a database ?

              <!-- this is in my web.xml for members -->
              <security-constraint>
              <web-resource-collection>
              <web-resource-name>Sample Application</web-resource-name>
              
              <!--Require users to authenticate-->
              <url-pattern>*.jsp</url-pattern>
              <http-method>POST</http-method>
              <http-method>GET</http-method>
              </web-resource-collection>
              <auth-constraint>
              
              <!-- Only allow Authenticated_users role -->
              <role-name>user</role-name>
              </auth-constraint>
              <user-data-constraint>
              
              <!-- Encryption is not required for the application in general.-->
              <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
              </security-constraint>
              <login-config>
              <auth-method>FORM</auth-method>
              <form-login-config>
              <form-login-page>/login.html</form-login-page>
              <form-error-page>/login_error.html</form-error-page>
              </form-login-config>
              </login-config>
              


              in my login-conf I've got ...
               <application-policy name = "members">
               <authentication>
               <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
               flag = "required">
              
               <module-option name="dsJndiName">java:/DefaultDS</module-option>
               <module-option name="principalsQuery">
               select passwd from USER where login=?
               </module-option>
               <module-option name="rolesQuery">
               select role, 'Roles' from USER_ROLES where login=?
               </module-option>
              
               </login-module>
               </authentication>
               </application-policy>
              


              I've got the system finding j_security_check finally and loggin errors but when I go to ...
              http://localhost:8080/members

              I just get a list of the directory contents and not the login.html that I specified in my web.xml. Should I be even using web.xml for this or a web-security.xml file? Haven't got that far yet I'm just trying to get my login.html file recognized now ..... h e l p




              • 4. url-pattern tag in web.xml security constraint
                Wiley Snyder Newbie

                Okay,

                Now I've finally got the login.html file coming up in the app root with the following in my web.xml .... I took a look at the jmx-console.war and how that was setup and ...

                <security-constraint>
                 <web-resource-collection>
                 <web-resource-name>members</web-resource-name>
                 <description>The Members Application</description>
                 <url-pattern>/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
                 </web-resource-collection>
                 <auth-constraint>
                 <role-name>User</role-name>
                 </auth-constraint>
                 </security-constraint>
                
                
                 <login-config>
                 <auth-method>FORM</auth-method>
                 <realm-name>Members Area</realm-name>
                 <form-login-config>
                 <form-login-page>/login.html</form-login-page>
                 <form-error-page>/login-error.jsp</form-error-page>
                 </form-login-config>
                 </login-config>
                


                If I use
                <url-pattern>/*.jsp</url-pattern>
                though my form-login page does not show up but when I try to go to ANY file in the directory I'm sent to the login page. I thought by specifying the .jsp that only jsp's would be protected and my html login form would come up but not the case ?

                thanks for the posts






                • 5. Re: simple example help ?
                  Wiley Snyder Newbie

                  My simple example makes total sense now ....

                  I just had to make sure users.properties and roles.properties were in the default/conf directory ....

                  use..
                  <url-pattern>/*.jsp</url-pattern>
                  and set the welcome file to my secure content which is automatically redirected to the login.html ...

                  if I use
                  <url-pattern>/*</url-pattern>
                  it authenticates every image and css file okay thank you got it .. I'm seeing the light ....

                  thanks again and goodnight