7 Replies Latest reply on Jun 9, 2006 6:35 PM by Andy W. Clements

    Form authentication not re-directing to form

    Andy W. Clements Newbie

      Hello Forum Folks,

      I've been slapping this thing around for a while now, but it just won't work the way it is supposed to. I've setup authentication to use a form, however when I go to a restricted page, I get the basic authentication popup INSTEAD of the login form. Here are my configuration files:

      web.xml:

       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>SubcontractorDbRealm</realm-name>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/login_error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>SUBCONTRACTOR</web-resource-name>
       <description>Require Subcontractors to login to view their plan rooms or complete prequal</description>
       <url-pattern>/private/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>HEAD</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>subcontractor</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <security-role>
       <role-name>subcontractor</role-name>
       <description>Subcontractor with access to their private plan room</description>
       </security-role>
      
      


      jboss-web.xml:

       <security-domain>java:/jaas/SubcontractorDbRealm</security-domain>
       <context-root>/subcontractor</context-root>
      


      ${JBOSS_HOME}/server/default/conf/subcontractor-login-config.xml:

      <policy>
       <application-policy name="SubcontractorDbRealm">
       <authentication>
       <login-module code="org.jboss.secuiryt.auth.spi.DatabaseServerLoginModule" flag="required">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="dsJndiName">java:/PMPORTAL</module-option>
       <module-option name="principalsQuery">SELECT auth_code FROM TBL_SUBCONTRACTOR_AUTH WHERE auth_code=?</module-option>
       <module-option name="rolesQuery">SELECT 'subcontractor'</module-option>
       </login-module>
       </authentication>
       </application-policy>
      </policy>
      
      


      ${JBOSS_HOME}/server/default/deploy/subcontractor-login-config-service.xml:

      <server>
       <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig">
       <attribute name="AuthConfig">subcontractor-login-config.xml</attribute>
       <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends>
       <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
       </mbean>
      </server>
      
      


      Now, login.jsp does exist and it has the usual j_ stuff in it - not that it matters, since I'm not be redirected to the page.

      Is there any way for to find out what JBoss is doing/thinking during the authentication process? I might be able to track down where things are going wrong....

      Thanks in advance!

      --Andy

        • 1. Re: Form authentication not re-directing to form
          Brian Stansberry Master

          The login-config element should come after your security-constraint elements. I'm surprised Tomcat doesn't throw an exception parsing your web.xml. But maybe fixing that will solve your problem.

          • 2. Re: Form authentication not re-directing to form
            Andy W. Clements Newbie

            I placed the login-config element after the security constraint element, but no luck. Still get the basic authentication popup instead of the form login.

            Thanks for your quick reply.

            --Andy

            • 3. Re: Form authentication not re-directing to form
              Andy W. Clements Newbie

              Also, I should note that I am getting no errors any of my logs... I do get some messages in my server.log, but I don't think they help with this problem. But I'll put them here, in case someone sees something that I do not.

              2006-06-08 11:19:45,935 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@1f643e4b
              2006-06-08 11:19:45,936 DEBUG [org.jboss.security.plugins.JaasSecurityManager.SubcontractorDbRealm] CachePolicy set to: org.jboss.util.TimedCachePolicy@6e35be06
              2006-06-08 11:19:45,936 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@6e35be06
              2006-06-08 11:19:45,936 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added SubcontractorDbRealm, org.jboss.security.plugins.SecurityDomainContext@a4eb471 to map

              Thanks,
              Andy

              • 4. Re: Form authentication not re-directing to form
                Anil Saldanha Master

                Debug using step 4 of the Security FAQ at the beginning of this forum.

                • 5. Re: Form authentication not re-directing to form
                  Andy W. Clements Newbie

                  Thanks! I've got some more logging information now, allow me to throw it up here:

                  2006-06-08 13:01:13,525 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /subcontractor/private/privatePlanRoom.jsp
                  2006-06-08 13:01:13,525 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SUBCONTRACTOR]' against GET /private/privatePlanRoom.jsp --> true
                  2006-06-08 13:01:13,525 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[SUBCONTRACTOR]' against GET /private/privatePlanRoom.jsp --> true
                  2006-06-08 13:01:13,525 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
                  2006-06-08 13:01:13,525 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint already satisfied
                  2006-06-08 13:01:13,525 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
                  2006-06-08 13:01:13,525 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate, username=null
                  2006-06-08 13:01:13,527 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResources(jndi.properties)
                  2006-06-08 13:01:13,533 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jnp.interfaces.NamingContextFactory, false)
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jnp.interfaces.NamingContextFactory)
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClassInternal(org.jnp.interfaces.NamingContextFactory)
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Passing on ClassNotFoundException
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@55b66aff
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false)
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory)
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClassInternal(org.jboss.naming.java.javaURLContextFactory)
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Passing on ClassNotFoundException
                  2006-06-08 13:01:13,534 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@55b66aff
                  2006-06-08 13:01:13,535 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
                  2006-06-08 13:01:13,535 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false)
                  2006-06-08 13:01:13,535 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
                  2006-06-08 13:01:13,535 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory)
                  2006-06-08 13:01:13,536 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClassInternal(org.jboss.naming.ENCFactory)
                  2006-06-08 13:01:13,536 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Passing on ClassNotFoundException
                  2006-06-08 13:01:13,536 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@55b66aff
                  2006-06-08 13:01:13,536 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
                  2006-06-08 13:01:13,536 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test

                  So, it looks like I've got a class loading problem here.... I believe that for some reason the tomcat class loader is having problems retrieving a Context Factory. From looking at the code in the WebappClassLoader, there can be several posibilities why it is throwing a ClassNotFoundExcepion - but it is not clear which possibility it could be. It is throwing that exception from this method:

                   /**
                  1890 * Find specified class in local repositories.
                  1891 *
                  1892 * @return the loaded class, or null if the class isn't found
                  1893 */
                  1894 protected Class findClassInternal(String name)
                  1895 throws ClassNotFoundException {
                  1896
                  1897 if (!validate(name))
                  1898 throw new ClassNotFoundException(name);
                  1899
                  1900 String tempPath = name.replace('.', '/');
                  1901 String classPath = tempPath + ".class";
                  1902
                  1903 ResourceEntry entry = null;
                  1904
                  1905 entry = findResourceInternal(name, classPath);
                  1906
                  1907 if (entry == null)
                  1908 throw new ClassNotFoundException(name);
                  1909
                  1910 Class clazz = entry.loadedClass;
                  1911 if (clazz != null)
                  1912 return clazz;
                  1913
                  1914 synchronized (this) {
                  1915 if (entry.binaryContent == null && entry.loadedClass == null)
                  1916 throw new ClassNotFoundException(name);
                  1917 }
                  1918
                  1919 // Looking up the package
                  1920 String packageName = null;
                  1921 int pos = name.lastIndexOf('.');
                  1922 if (pos != -1)
                  1923 packageName = name.substring(0, pos);
                  1924
                  1925 Package pkg = null;
                  1926
                  1927 if (packageName != null) {
                  1928
                  1929 // START OF IASRI 4717252
                  1930 synchronized (loaderPC) {
                  1931 // END OF IASRI 4717252
                  1932 pkg = getPackage(packageName);
                  1933
                  1934 // Define the package (if null)
                  1935 if (pkg == null) {
                  1936 if (entry.manifest == null) {
                  1937 definePackage(packageName, null, null, null, null, null,
                  1938 null, null);
                  1939 } else {
                  1940 definePackage(packageName, entry.manifest, entry.codeBase);
                  1941 }
                  1942 }
                  1943 // START OF IASRI 4717252
                  1944 }
                  1945 // END OF IASRI 4717252
                  1946 }
                  1947
                  1948 // Create the code source object
                  1949 CodeSource codeSource =
                  1950 new CodeSource(entry.codeBase, entry.certificates);
                  1951
                  1952 if (securityManager != null) {
                  1953
                  1954 // Checking sealing
                  1955 if (pkg != null) {
                  1956 boolean sealCheck = true;
                  1957 if (pkg.isSealed()) {
                  1958 sealCheck = pkg.isSealed(entry.codeBase);
                  1959 } else {
                  1960 sealCheck = (entry.manifest == null)
                  1961 || !isPackageSealed(packageName, entry.manifest);
                  1962 }
                  1963 if (!sealCheck)
                  1964 throw new SecurityException
                  1965 ("Sealing violation loading " + name + " : Package "
                  1966 + packageName + " is sealed.");
                  1967 }
                  1968
                  1969 }
                  1970
                  1971 synchronized (this) {
                  1972 if (entry.loadedClass == null) {
                  1973 /* START GlassFish [680]
                  1974 clazz = defineClass(name, entry.binaryContent, 0,
                  1975 entry.binaryContent.length,
                  1976 codeSource);
                  1977 */
                  1978 // START GlassFish [680]
                  1979 // We use a temporary byte[] so that we don't change the
                  1980 // content of entry in case bytecode preprocessing takes place.
                  1981 byte[] binaryContent = entry.binaryContent;
                  1982 if (!byteCodePreprocessors.isEmpty()) {
                  1983 // ByteCodePreprpcessor expects name as java/lang/Object.class
                  1984 String resourceName = name.replace('.', '/') + ".class";
                  1985 for(BytecodePreprocessor preprocessor : byteCodePreprocessors) {
                  1986 binaryContent = preprocessor.preprocess(resourceName,
                  1987 binaryContent);
                  1988 }
                  1989 }
                  1990 clazz = defineClass(name, binaryContent, 0,
                  1991 binaryContent.length,
                  1992 codeSource);
                  1993 // END GlassFish [680]
                  1994 entry.loadedClass = clazz;
                  1995 entry.binaryContent = null;
                  1996 entry.source = null;
                  1997 entry.codeBase = null;
                  1998 entry.manifest = null;
                  1999 entry.certificates = null;
                  2000 } else {
                  2001 clazz = entry.loadedClass;
                  2002 }
                  2003 }
                  2004
                  2005 return clazz;
                  2006
                  2007 }


                  Any ideas where to go with this?

                  Thanks for the help so far!


                  Thanks!

                  --Andy

                  • 6. Re: Form authentication not re-directing to form
                    Andy W. Clements Newbie

                    The version of Jboss that I was running on is 4.0.2. I've downloaded 4.0.3 SP1 and put the application on it and it works.

                    I believe there was some setting that I might have changed a long time ago that was preventing the application from working - beats me what it was though....

                    • 7. Re: Form authentication not re-directing to form
                      Andy W. Clements Newbie

                      Hey kids

                      I found the reason why my web application kept coming upwith BASIC authentication when I had told it to use FORM authentication. The JBoss server I was using has mutiple applications on it. One of the applications needed the context.xml to have the following values:

                      <Context>
                       <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" disableProxyCaching="false" />
                      </Context>


                      This was done so that we could upload files in IE (long story). Anyway I placed this value in ${JBOSS_HOME}/server/default/deploy/jbossweb-tomcat55.sar/context.xml so that all applications can upload files. However it appears that this was forcing all applications to use BASIC authentication as well. Cheeky, eh? So, I moved this directive to each applications' own content.xml file in WEB-INF. I changed the context.xml file for the one using FORM authentication to this:

                      <Context>
                       <Valve className="org.apache.catalina.authenticator.FormAuthenticator" disableProxyCaching="false" />
                      </Context>


                      And wa-la - everything suddenly works. I hope this helps someone instead of them having to go through the 2 days of work that I did. I also like to thank the folks that helped out with their replies. - Thanks!

                      --Andy