1 Reply Latest reply on Dec 26, 2005 9:01 AM by Scott Stark

    Web Container Security in JBoss 4.0.1

    Gulshan Arora Newbie

      I am trying to use Web Container Security to protect the content for one of my applications running on JBoss 4.0.1 and MySQL environment. Below are the details of my application/environment.

      The application deploys without any errors. When I access a page under protected folder (http://localhost:8080/jsf-etc/protected/about.html), it presents the login form (LoginForm.html). And if I type wrong login information, say admin/abc, it shows LoginError.html. Which is correct.

      Problem: When I provide correct login information, admin/admin or gka/gka, it returns 403 status message shown below. What's missing or wrong here?

      Any help will be appreciated. Thanks in advance.


      HTTP Status 403 - Access to the requested resource has been denied
      type Status report
      message Access to the requested resource has been denied
      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
      Apache Tomcat/5.0.28


      Application: jsf-etc.ear
      ------------------------
      META-INF/MANIFEST.MF
      META-INF/application.xml
      META-INF/jboss-app.xml
      jsf-etc-login-config.xml
      jsf-etc-login-service.xml
      jsf-etc.war

      application.xml
      ---------------
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE application PUBLIC
      "-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN"
      "http://java.sun.com/dtd/application_1_3.dtd">

      <display-name>JSF ETC</display-name>
      JSF ETC


      <web-uri>jsf-etc.war</web-uri>
      <context-root>jsf-etc</context-root>




      jboss-app.xml
      -------------
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-app PUBLIC
      "-//JBoss//DTD J2EE Application 1.4//EN"
      "http://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
      <jboss-app>

      jsf-etc-login-service.xml

      </jboss-app>

      jsf-etc-login-config.xml
      ------------------------
      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

      <application-policy name="jsfetc">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag="required">
      <module-option name="unauthenticatedIdentity">rhdb</module-option>
      <module-option name="dsJndiName">java:/MySqlDS</module-option>
      <module-option name="principalsQuery">
      select password from principals where username=?
      </module-option>
      <module-option name="rolesQuery">
      select role, groupname from roles where username=?
      </module-option>

      </login-module>

      </application-policy>


      jsf-etc-login-service.xml
      -------------------------
      <?xml version="1.0" encoding="UTF-8"?>


      jsf-etc-login-config.xml
      <depends optional-attribute-name="LoginConfigService">
      jboss.security:service=XMLLoginConfig

      <depends optional-attribute-name="SecurityManagerService">
      jboss.security:service=JaasSecurityManager




      Web Module: jsf-etc.war
      -----------------------
      META-INF/MANIFEST.MF
      WEB-INF/lib/jsp-api.jar
      WEB-INF/lib/jstl.jar
      WEB-INF/lib/standard.jar
      WEB-INF/jboss-web.xml
      WEB-INF/web.xml
      LoginError.html
      LoginForm.html
      index.html
      protected/safe.html


      jboss-web.xml
      -------------
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE jboss-web PUBLIC
      "-//JBoss//DTD Web Application 2.4//EN"
      "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
      <jboss-web>
      <security-domain flushOnSessionInvalidation="false">java:/jaas/jsfetc</security-domain>
      <context-root>jsf-etc</context-root>
      <security-role>
      <role-name>admin</role-name>
      <principal-name>admin</principal-name>
      </security-role>
      </jboss-web>


      web.xml
      -------
      <?xml version="1.0" encoding="UTF-8"?>
      <web-app>


      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>


      <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>*.faces</url-pattern>
      </servlet-mapping>

      <welcome-file-list>
      <welcome-file>index.html</welcome-file>
      </welcome-file-list>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      Security constraint for "protected" folder
      <url-pattern>/protected/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
      Only 'admin' can login
      <role-name>admin</role-name>
      </auth-constraint>
      <user-data-constraint>
      No SSL yet
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/LoginForm.html</form-login-page>
      <form-error-page>/LoginError.html</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      Secure Role
      <role-name>admin</role-name>
      </security-role>

      </web-app>


      LoginForm.html
      --------------


      Login Form

      <h1>Login Form</h1>

      Username:
      Password:






      Database tables in localhost/rhdb database
      ------------------------------------------
      select * from principals;
      +----------+----------+
      | username | password |
      +----------+----------+
      | gka | gka |
      | admin | admin |
      +----------+----------+

      select * from roles;
      +----------+-------+-----------+
      | username | role | groupname |
      +----------+-------+-----------+
      | gka | admin | any |
      | admin | admin | dontcare |
      +----------+-------+-----------+


      mysql-ds.xml in jboss-4.0.1\server\default\deploy folder
      --------------------------------------------------------
      <?xml version="1.0" encoding="UTF-8"?>


      <local-tx-datasource>
      <jndi-name>MySqlDS</jndi-name>
      <connection-url>jdbc:mysql://localhost:3306/rhdb</connection-url>
      <driver-class>com.mysql.jdbc.Driver</driver-class>
      <user-name>rhdb</user-name>
      rhdb
      <exception-sorter-class-name>
      org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter
      </exception-sorter-class-name>


      <type-mapping>mySQL</type-mapping>

      </local-tx-datasource>