How do you explicitly tell an application (.war) to use JBoss security in the jboss-web.xml file?
If it can't be done there, can it be done in the jboss-app.xml or application.xml in an .ear file?
The reason I ask is that my application (a war deployment) is using some libraries that conflict with ones in jboss (specifically some jakarta commons libraries for struts). To enable their use I've specified java2ClassLoadingCompliance="false" in the jboss-web.xml file. This works to allow the code depending on the newer libraries to work, but then my security and authentication stops working.
I've turned up logging in log4j.xml to the max, and jboss gets very noisy, but when I login, nothing spits back to tell me what is wrong. It just returns a failed login.
Version: Jboss 3.2.3
JVM: j2sdk 1.4.2_05
What follows is my security configuration. If I'm completely off my rocker, or simply using a version that's too old, or just need to read the documentation more somewhere, please let me know. As it stands I'm at a complete loss. I've seen other posts on the issue (referring to 4.x versions) and the solutions were to set java2ClassLoadingCompliance="true". Unfortunately that's going to require I write a lot more code to work around, and I'd prefer not to have to do that.
Here are the relevant security entries from web.xml
<security-constraint> <!-- <display-name>Example Security</display-name> --> <web-resource-collection> <web-resource-name>Struts Blank</web-resource-name> <description></description> <url-pattern>*.do</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Administrators</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html?error_message=failed</form-error-page> </form-login-config> </login-config> <security-role> <role-name>Users</role-name> </security-role> <security-role> <role-name>Administrators</role-name> </security-role>
Here's my complete jboss-web.xml:
<jboss-web> <class-loading java2ClassLoadingCompliance="false" > <loader-repository> struts-blank.someurl.ca:loader=struts-blank.war <loader-repository-config>java2ParentDelegation=false</loader-repository-config> </loader-repository> </class-loading> <security-domain>java:/jaas/tagishNT</security-domain> </jboss-web>
Here's the application-policy from the login-config.xml from the jboss-3.2.3//conf directory:
<application-policy name = "tagishNT"> <authentication> <login-module code = "ca.laj.TagishJBossLoginModule" flag = "required" /> </authentication> </application-policy>
I previously posted about this here, but may have taken the wrong approach in my query:
Topics that discuss this behaviour for other users:
In Jboss 3.2.2
This individual has a personal security service, but shows the jndi naming being blocked (again java2 loading is false):
I've also read the following, and I do not have jboss jar's in my webapp (unless jakarta commons packages count):
Lastly I've read and tested against the following condition and am reasonably certain that I don't have org.jboss.* classes in my .war (I understand that I'm allowed to depend on them right? Just not include them?):
Scott Stark, if you read this, would you please give a brief explanation why org.jboss.* class will stop things if java2 loading is false?
Is it possible that using java2ClassLoadingCompliance="false" would block jndi name lookups? (Thus preventing the jboss-web.xml configuration from being able to refer to a login configuration in the login-config.xml file?)