-
1. Re: simple example help ?
Check the following..
That the JNDI name DefaultDS matches the one in your DS file.
e.g. mySql_ds.xml in your deploy directory
Dont go to...
When I goto http://localhost:8080/myREALM/loginForm.jsp
Go to...
When I goto http://localhost:8080/myREALM/
Your web.xml contains the name of the page login.jsp
once its authenticates you, you will be automatically redirected to the page in you welcome setting. e.g. index.html
Also check that you have some user/password information in your tables.
See my post for a list of all the steps you need to take.
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=71151 -
2. Re: simple example help ?
Hi.
The first step is therefore to create a login page, containing a form like this:
" <..form action="j_security_check" method="post">
Username: < input type="text" name="j_username" size="22"/>
Password: < input type="password" name="j_password" size="22"/>
< input type="submit" value="Login" />
--- form >"
The username and password will be intercepted by the JBoss SecurityInterceptor and passed to the JAASSecurityManager class as Principal and Credential objects. It is worth noting here that if a user bookmarks a login page, or uses the browser back button to reach the page, they will see an error. This is a feature of the Tomcat implementation of the j_security_check mechanism. The next step is to set up the web.xml file as follows:
...................
..............
<security-constraint>
<web-resource-collection>
<web-resource-name>Sample Application</web-resource-name>
Require users to authenticate
<url-pattern>*.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
Only allow Authenticated_users role
<role-name>Authenticated_users</role-name>
</auth-constraint>
<user-data-constraint>
Encryption is not required for the application in general.
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_error.html</form-error-page>
</form-login-config>
</login-config>
..............
.............
Next, the login-config.xml file must be set up to specify that this security domain requires a certain set of LoginModules:
<application-policy name="sample_web_client_security">
<login-module code="org.jboss.security.ClientLoginModule"
flag="required"/>
<login-module code="com.sample.security.GenericJbossLoginModule"
flag="required"/>
</application-policy>
U can specify your module name hear.
........... now u can get the login user role in jsp like this..
<%if(request.isUserInRole("Member_admin")){%>
<%-- admin users have access to protected methods --%>
List Users
Secure method
<%} else{%>
<%-- non-admins are only allowed to list users - if a user
attempts to submit to ...SampleServlet?method=secure, the EJB
method will not be accessible --%>
List Users
<%}%>
.....................
j_security_check is use your loginmoudle and authenticate the user.
for more information :- http://www.developer.com/security/article.php/3077421
thx
itcube.ians -
3. Re: simple example help ?
Hello, thanks for the info....
I used your example but I'm not understanding why you don't have the realm here... "members" in my case and I put this in the login-config ... but I don't see how it can see it with this .... its still looking for a properties file when I'm using a database ?<!-- this is in my web.xml for members --> <security-constraint> <web-resource-collection> <web-resource-name>Sample Application</web-resource-name> <!--Require users to authenticate--> <url-pattern>*.jsp</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <!-- Only allow Authenticated_users role --> <role-name>user</role-name> </auth-constraint> <user-data-constraint> <!-- Encryption is not required for the application in general.--> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login_error.html</form-error-page> </form-login-config> </login-config>
in my login-conf I've got ...<application-policy name = "members"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="dsJndiName">java:/DefaultDS</module-option> <module-option name="principalsQuery"> select passwd from USER where login=? </module-option> <module-option name="rolesQuery"> select role, 'Roles' from USER_ROLES where login=? </module-option> </login-module> </authentication> </application-policy>
I've got the system finding j_security_check finally and loggin errors but when I go to ...
http://localhost:8080/members
I just get a list of the directory contents and not the login.html that I specified in my web.xml. Should I be even using web.xml for this or a web-security.xml file? Haven't got that far yet I'm just trying to get my login.html file recognized now ..... h e l p -
4. url-pattern tag in web.xml security constraint
Okay,
Now I've finally got the login.html file coming up in the app root with the following in my web.xml .... I took a look at the jmx-console.war and how that was setup and ...<security-constraint> <web-resource-collection> <web-resource-name>members</web-resource-name> <description>The Members Application</description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>User</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Members Area</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login-error.jsp</form-error-page> </form-login-config> </login-config>
If I use<url-pattern>/*.jsp</url-pattern>
though my form-login page does not show up but when I try to go to ANY file in the directory I'm sent to the login page. I thought by specifying the .jsp that only jsp's would be protected and my html login form would come up but not the case ?
thanks for the posts -
5. Re: simple example help ?
My simple example makes total sense now ....
I just had to make sure users.properties and roles.properties were in the default/conf directory ....
use..
<url-pattern>/*.jsp</url-pattern>
and set the welcome file to my secure content which is automatically redirected to the login.html ...
if I use
<url-pattern>/*</url-pattern>
it authenticates every image and css file okay thank you got it .. I'm seeing the light ....
thanks again and goodnight