1 Reply Latest reply on Sep 9, 2006 8:44 AM by k k

    Jsf Form Authentication problem

    k k Newbie

      I use an html page for login page and when i type the correct user name and password it authenticates but I receive 403 error. If the login parameters are wrong I am redirected to the error page. I searched the net and I think that I configured everything Ok. But still have the problem. Also though this login page is declared confidential when i am redirected to it never runs in https. If I hit directly it does.
      Anyone with some help it will be great.
      Thanks.

        • 1. Re: Jsf Form Authentication problem
          k k Newbie

          to be more easy to someone to give some hints below I am posting some configuration file and code. I am using MySql for the user and roles and when I am logging manually
          using LogingContext.login() it works. But when the form authentication is triggered and the logij.jsp is displayed I am authenticating but Iget 403 error. I want to use this facility in order to have the single signeon feature. Is it possible to have single signeon facility if you authenticate using:
          ---------------------------------------------
          SecurityAssociationHandler handler = new SecurityAssociationHandler();
          SimplePrincipal user = new SimplePrincipal(_uname);
          handler.setSecurityInfo(user, _upass.toCharArray());
          LoginContext loginContext = new LoginContext("myPolicy",(CallbackHandler)handler);
          loginContext.login();
          Subject subject = loginContext.getSubject();
          Set principals = subject.getPrincipals();
          principals.add(user);
          ---------------------------------------------
          i.e: the user not to have again to login?
          Can be happen some how to simulate this, or to call a method?

          web.xml
          ---------------------------------------
          <web-app>
          debug web.xml
          <context-param>
          <param-name>javax.faces.CONFIG_FILES</param-name>
          <param-value>
          /WEB-INF/faces-config.xml
          </param-value>

          Comma separated list of URIs of (additional) faces config files.
          (e.g. /WEB-INF/my-config.xml)
          See JSF 1.0 PRD2, 10.3.2

          </context-param>

          <context-param>
          <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
          <param-value>client</param-value>

          State saving method: "client" or "server" (= default)
          See JSF Specification 2.5.2

          </context-param>

          <context-param>
          <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
          <param-value>true</param-value>

          This parameter tells MyFaces if javascript code should be allowed in the
          rendered HTML output.
          If javascript is allowed, command_link anchors will have javascript code
          that submits the corresponding form.
          If javascript is not allowed, the state saving info and nested parameters
          will be added as url parameters.
          Default: "true"

          </context-param>

          <context-param>
          <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
          <param-value>false</param-value>
          </context-param>

          <context-param>
          <param-name>org.apache.myfaces.CHECK_EXTENSIONS_FILTER</param-name>
          <param-value>true</param-value>
          </context-param>

          <context-param>
          <param-name>com.sun.faces.serializationProvider</param-name>
          <param-value>org.jboss.web.jsf.integration.serialization.JBossSerializationProvider</param-value>
          </context-param>


          <context-param>
          <param-name>org.apache.myfaces.ADD_RESOURCE_CLASS</param-name>
          <param-value>org.apache.myfaces.renderkit.html.util.DefaultAddResource</param-value>
          </context-param>

          <context-param>
          <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
          <param-value>true</param-value>

          If true, rendered HTML code will be formatted, so that it is "human readable".
          i.e. additional line separators and whitespace will be written, that do not
          influence the HTML code.
          Default: "true"

          </context-param>

          <context-param>
          <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
          <param-value>true</param-value>

          If true, a javascript function will be rendered that is able to restore the
          former vertical scroll on every request. Convenient feature if you have pages
          with long lists and you do not want the browser page to always jump to the top
          if you trigger a link or button action that stays on the same page.
          Default: "false"

          </context-param>
          <context-param>
          <param-name>org.apache.myfaces.secret</param-name>
          <param-value>MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz</param-value>
          </context-param>
          <context-param>
          <param-name>org.apache.myfaces.algorithm</param-name>
          <param-value>AES</param-value>
          </context-param>
          <context-param>
          <param-name>org.apache.myfaces.algorithm.parameters</param-name>
          <param-value>CBC/PKCS5Padding</param-value>
          </context-param>
          <context-param>
          <param-name>org.apache.myfaces.algorithm.iv</param-name>
          <param-value>NzY1NDMyMTA3NjU0MzIxMA==</param-value>
          </context-param>


          <!-- Tiles ViewHandler config file -->

          <context-param>
          <param-name>tiles-definitions</param-name>
          <param-value>/WEB-INF/tiles.xml</param-value>

          Tiles configuration
          definition files and a listener need to be defined.
          the listener will initialize JspTilesViewHandlerImpl with tiles definitions.

          </context-param>

          <!-- Extensions Filter -->

          <filter-name>extensionsFilter</filter-name>
          <filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>

          <init-param>
          <param-name>maxFileSize</param-name>
          <param-value>100m</param-value>
          Set the size limit for uploaded files.
          Format: 10 - 10 bytes
          10k - 10 KB
          10m - 10 MB
          1g - 1 GB

          </init-param>
          <init-param>
          <param-name>uploadMaxFileSize</param-name>
          <param-value>100m</param-value>
          Set the size limit for uploaded files.
          Format: 10 - 10 bytes
          10k - 10 KB
          10m - 10 MB
          1g - 1 GB

          </init-param>
          <init-param>
          <param-name>uploadThresholdSize</param-name>
          <param-value>100m</param-value>
          Set the threshold size - files
          below this limit are stored in memory, files above
          this limit are stored on disk.

          Format: 10 - 10 bytes
          10k - 10 KB
          10m - 10 MB
          1g - 1 GB

          </init-param>
          <!-- <init-param>
          <param-name>uploadRepositoryPath</param-name>
          <param-value>/temp</param-value>
          Set the path where the intermediary files will be stored.

          </init-param>-->



          <filter-name>PostLoginFilter</filter-name>
          <filter-class>com.sms.PostLoginFilter</filter-class>


          <filter-mapping>
          <filter-name>PostLoginFilter</filter-name>
          <url-pattern>/j_security_check</url-pattern>
          </filter-mapping>
          <filter-mapping>
          <filter-name>PostLoginFilter</filter-name>
          <url-pattern>/user/*</url-pattern>
          </filter-mapping>

          <filter-mapping>
          <filter-name>PostLoginFilter</filter-name>
          <url-pattern>/faces/user/*</url-pattern>
          </filter-mapping>

          <filter-mapping>
          <filter-name>PostLoginFilter</filter-name>
          <url-pattern>/company/*</url-pattern>
          </filter-mapping>

          <filter-mapping>
          <filter-name>PostLoginFilter</filter-name>
          <url-pattern>/faces/company/*</url-pattern>
          </filter-mapping>

          <filter-mapping>
          <filter-name>PostLoginFilter</filter-name>

          <servlet-name>Faces Servlet</servlet-name>
          </filter-mapping>
          <filter-mapping>
          <filter-name>extensionsFilter</filter-name>

          <servlet-name>Faces Servlet</servlet-name>
          </filter-mapping>


          <filter-mapping>
          <filter-name>extensionsFilter</filter-name>
          <url-pattern>*.jsf</url-pattern>
          </filter-mapping>

          <filter-mapping>
          <filter-name>extensionsFilter</filter-name>
          <url-pattern>/faces/*</url-pattern>
          </filter-mapping>

          <filter-mapping>
          <filter-name>extensionsFilter</filter-name>
          <url-pattern>*.jsp</url-pattern>
          </filter-mapping>

          <filter-mapping>
          <filter-name>extensionsFilter</filter-name>
          <url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
          </filter-mapping>


          <!-- Faces Servlet -->

          <servlet-name>Faces Servlet</servlet-name>
          <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
          <load-on-startup>1</load-on-startup>
          <security-role-ref>
          <role-name>user</role-name>
          <role-link>userrole</role-link>
          </security-role-ref>
          <security-role-ref>
          <role-name>company</role-name>
          <role-link>companyrole</role-link>
          </security-role-ref>



          <!-- Faces Servlet Mapping -->

          <!-- virtual path mapping -->

          <servlet-mapping>
          <servlet-name>Faces Servlet</servlet-name>
          <url-pattern>/faces/*</url-pattern>
          </servlet-mapping>

          <!-- extension mapping -->
          <servlet-mapping>
          <servlet-name>Faces Servlet</servlet-name>
          <url-pattern>*.jsf</url-pattern>
          </servlet-mapping>

          <mime-mapping>
          html
          <mime-type>text/html</mime-type>
          </mime-mapping>
          <mime-mapping>
          txt
          <mime-type>text/plain</mime-type>
          </mime-mapping>
          <!-- Welcome files -->


          <welcome-file-list>
          <welcome-file>index.jsp</welcome-file>
          <welcome-file>index.html</welcome-file>
          </welcome-file-list>



          <error-page>
          <error-code>404</error-code>
          /error404.jsp
          </error-page>

          <error-page>
          <error-code>403</error-code>
          /error403.jsp
          </error-page>

          <error-page>
          <error-code>503</error-code>
          /error503.jsp
          </error-page>

          <error-page>
          <error-code>500</error-code>
          /error500.jsp
          </error-page>

          <error-page>
          <error-code>401</error-code>
          /error401.jsp
          </error-page>



          <security-constraint>
          <display-name>Restrict access to login JSP pages</display-name>
          <web-resource-collection>
          <web-resource-name>Restrict access to login JSP pages</web-resource-name>
          <url-pattern>/faces/login.jsp</url-pattern>
          <url-pattern>/login.jsp</url-pattern>
          <url-pattern>/faces/login.jsf</url-pattern>
          <url-pattern>/login.jsf</url-pattern>
          </web-resource-collection>

          <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
          </security-constraint>

          <security-constraint>
          <display-name>Restrict access to registration JSP pages</display-name>
          <web-resource-collection>
          <web-resource-name>Restrict access to registration JSP pages</web-resource-name>
          <url-pattern>/faces/regCompany.jsp</url-pattern>
          <url-pattern>/regCompany.jsp</url-pattern>
          <url-pattern>/faces/regCompany.jsf</url-pattern>
          <url-pattern>/regCompany.jsf</url-pattern>
          </web-resource-collection>

          <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
          </security-constraint>

          <security-constraint>
          <display-name>Restrict access to registration user JSP pages</display-name>
          <web-resource-collection>
          <web-resource-name>Restrict access to registration JSP pages</web-resource-name>
          <url-pattern>/faces/regUser.jsp</url-pattern>
          <url-pattern>/regUser.jsp</url-pattern>
          <url-pattern>/faces/regUser.jsp</url-pattern>
          <url-pattern>/regUser.jsp</url-pattern>
          </web-resource-collection>

          <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
          </security-constraint>


          <security-constraint>
          <display-name>Restrict access to login PROTj JSP pages</display-name>
          <web-resource-collection>
          <web-resource-name>Restrict access to login PROTj JSP pages</web-resource-name>
          <url-pattern>/faces/loginj.jsp</url-pattern>
          <url-pattern>/loginj.jsp</url-pattern>
          <url-pattern>/faces/loginj.jsf</url-pattern>
          <url-pattern>/loginj.jsf</url-pattern>
          </web-resource-collection>

          <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
          </security-constraint>

          <security-constraint>
          <display-name>Restrict access to USER JSP pages</display-name>
          <web-resource-collection>
          <web-resource-name>Restrict access to COMPANY JSP pages</web-resource-name>
          <url-pattern>/user/*</url-pattern>
          <url-pattern>/faces/user/*</url-pattern>
          </web-resource-collection>

          <auth-constraint>
          With no roles defined, no access granted
          <role-name>userrole</role-name>
          <role-name>companyrole</role-name>
          </auth-constraint>

          <user-data-constraint>
          <transport-guarantee> CONFIDENTIAL </transport-guarantee>
          </user-data-constraint>
          </security-constraint>

          <security-constraint>
          <display-name>Restrict access to COMPANY JSP pages</display-name>
          <web-resource-collection>
          <web-resource-name>Restrict access to COMPANY JSP pages</web-resource-name>
          <url-pattern>/company/*</url-pattern>
          <url-pattern>/faces/company/*</url-pattern>
          </web-resource-collection>

          <auth-constraint>
          With no roles defined, no access granted
          <role-name>companyrole</role-name>
          </auth-constraint>

          <user-data-constraint>
          <transport-guarantee> CONFIDENTIAL </transport-guarantee>
          </user-data-constraint>
          </security-constraint>


          <login-config>

          <auth-method> FORM </auth-method>
          <realm-name>myPolicy</realm-name>
          <form-login-config>

          <form-login-page>/loginj.jsp</form-login-page>
          <form-error-page>/error.jsp</form-error-page>

          </form-login-config>

          </login-config>

          <security-role>
          <role-name> userrole </role-name>
          </security-role>

          <security-role>
          <role-name> companyrole </role-name>
          </security-role>


          </web-app>
          ----------------------------------------------------------------


          jboss-web.xml
          ------------------------------------------------------------
          <?xml version="1.0"?>

          <jboss-web>
          <security-domain>java:/jaas/myPolicy</security-domain>
          </jboss-web>

          -----------------------------------------------------------


          Client auth.conf
          ----------------------------------------
          client-login
          {
          org.jboss.security.ClientLoginModule required;
          };

          myPolicy
          {
          org.jboss.security.ClientLoginModule required;
          org.jboss.security.auth.spi.DatabaseServerLoginModule required;
          };


          Server auth.conf in ../conf
          ------------------------------------------------
          client-login
          {
          org.jboss.security.ClientLoginModule required;
          };

          myPolicy
          {
          org.jboss.security.ClientLoginModule required;
          org.jboss.security.auth.spi.DatabaseServerLoginModule required
          dsJndiName="java:/MySqlDS"
          principalsQuery="SELECT PASSWD FROM PUBLIC.PRINCIPALS WHERE USERID=?"
          rolesQuery="SELECT ROLEID 'Roles', ROLEGROUP 'RoleGroups' FROM PUBLIC.ROLES WHERE USERID=?"
          ;
          };


          jboss-service.xml
          ----------------------------------------------


          <!-- Load all jars from the JBOSS_DIST/server//lib directory. This
          can be restricted to specific jars by specifying them in the archives
          attribute.
          -->

          <!-- The SSL domain setup -->




          file:${jboss.server.home.dir}/conf/sec.keystore
          rmi+ssl

          <!-- A Thread pool service -->

          JBoss System Threads
          System Threads
          <!-- How long a thread will live without any tasks in MS -->
          60000
          <!-- The max number of threads in the pool -->
          10
          <!-- The max number of tasks before the queue is full -->
          1000
          <!-- The behavior of the pool when a task is added and the queue is full.
          abort - a RuntimeException is thrown
          run - the calling thread executes the task
          wait - the calling thread blocks until the queue has room
          discard - the task is silently discarded without being run
          discardOldest - check to see if a task is about to complete and enque
          the new task if possible, else run the task in the calling thread
          -->
          run


          <!-- ==================================================================== -->
          <!-- Log4j Initialization -->
          <!-- ==================================================================== -->

          <mbean code="org.jboss.logging.Log4jService"
          name="jboss.system:type=Log4jService,service=Logging"
          xmbean-dd="resource:xmdesc/Log4jService-xmbean.xml">
          resource:log4j.xml
          <!-- Set the org.apache.log4j.helpers.LogLog.setQuiteMode. As of log4j1.2.8
          this needs to be set to avoid a possible deadlock on exception at the
          appender level. See bug#696819.
          -->
          true
          <!-- How frequently in seconds the ConfigurationURL is checked for changes -->
          60





          <depends optional-attribute-name="Deployer">jboss.system:service=MainDeployer


          org.jboss.deployment.DeploymentSorter
          <!--


          <!-- Files starting with theses strings are ignored -->
          #,%,\,,.,_$
          <!-- Files ending with theses strings are ignored -->
          #,$,%,~,\,v,.BAK,.bak,.old,.orig,.tmp,.rej,.sh
          <!-- Files matching with theses strings are ignored -->
          .make.state,.nse_depinfo,CVS,CVS.admin,RCS,RCSLOG,SCCS,TAGS,core,tags


          <!-- Frequency in milliseconds to rescan the URLs for changes -->
          5000
          <!-- A flag to disable the scans -->
          true


          deploy/


          True






          jndi.properties
          ----------------------------------------------------------------------------------------------
          java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
          java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces

          # Do NOT uncomment this line as it causes in VM calls to go over
          # RMI!
          java.naming.provider.url=localhost:1099


          login-config.xml
          ----------------------------------------------------------------


          <application-policy name="myPolicy">

          <login-module code="org.jboss.security.ClientLoginModule" flag="required">
          </login-module>
          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
          <module-option name="managedConnectionFactoryName">
          jboss.jca:service=LocalTxCM,name=MySqlDS
          </module-option>
          <module-option name="dsJndiName">
          java:/MySqlDS
          </module-option>
          <module-option name="principalsQuery">
          SELECT PASSWD FROM PUBLIC.PRINCIPALS WHERE USERID=?
          </module-option>
          <module-option name="rolesQuery">
          SELECT ROLEID 'Roles', ROLEGROUP 'RoleGroups' FROM PUBLIC.ROLES WHERE USERID=?
          </module-option>
          </login-module>

          </application-policy>

          <application-policy name = "client-login">

          <login-module code = "org.jboss.security.ClientLoginModule"
          flag = "required">
          <!-- Any existing security context will be restored on logout -->
          <module-option name="restore-login-identity">true</module-option>
          </login-module>

          </application-policy>

          <!-- Security domain for JBossMQ -->
          <application-policy name = "jbossmq">

          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
          flag = "required">
          <module-option name = "unauthenticatedIdentity">guest</module-option>
          <module-option name = "dsJndiName">java:/DefaultDS</module-option>
          <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
          <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
          </login-module>

          </application-policy>

          <!-- Security domains for testing new jca framework -->
          <application-policy name = "HsqlDbRealm">

          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
          flag = "required">
          <module-option name = "principal">sa</module-option>
          <module-option name = "userName">sa</module-option>
          <module-option name = "password"></module-option>
          <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
          </login-module>

          </application-policy>

          <application-policy name = "MySqlDbRealm">

          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
          <module-option name ="principal">smsuser</module-option>
          <module-option name ="userName">smsuser</module-option>
          <module-option name ="password">smsuser</module-option>
          <module-option name ="managedConnectionFactoryName">
          jboss.jca:service=LocalTxCM,name=MySqlDS
          </module-option>
          </login-module>

          </application-policy>

          <application-policy name = "JmsXARealm">

          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
          flag = "required">
          <module-option name = "principal">guest</module-option>
          <module-option name = "userName">guest</module-option>
          <module-option name = "password">guest</module-option>
          <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
          </login-module>

          </application-policy>

          <!-- A template configuration for the jmx-console web application. This
          defaults to the UsersRolesLoginModule the same as other and should be
          changed to a stronger authentication mechanism as required.
          -->
          <application-policy name = "jmx-console">

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag = "required">
          <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
          <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
          </login-module>

          </application-policy>

          <!-- A template configuration for the web-console web application. This
          defaults to the UsersRolesLoginModule the same as other and should be
          changed to a stronger authentication mechanism as required.
          -->
          <application-policy name = "$webConsoleDomain">

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag = "required">
          <module-option name="usersProperties">web-console-users.properties</module-option>
          <module-option name="rolesProperties">web-console-roles.properties</module-option>
          </login-module>

          </application-policy>

          <!-- A template configuration for the JBossWS web application (and transport layer!).
          This defaults to the UsersRolesLoginModule the same as other and should be
          changed to a stronger authentication mechanism as required.
          -->
          <application-policy name="JBossWS">

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
          <module-option name="usersProperties">props/jbossws-users.properties</module-option>
          <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
          <module-option name="unauthenticatedIdentity">anonymous</module-option>
          </login-module>

          </application-policy>

          <!-- The default login configuration used by any security domain that
          does not have a application-policy entry with a matching name
          -->
          <application-policy name = "other">
          <!-- A simple server login module, which can be used when the number
          of users is relatively small. It uses two properties files:
          users.properties, which holds users (key) and their password (value).
          roles.properties, which holds users (key) and a comma-separated list of
          their roles (value).
          The unauthenticatedIdentity property defines the name of the principal
          that will be used when a null username and password are presented as is
          the case for an unuathenticated web client or MDB. If you want to
          allow such users to be authenticated add the property, e.g.,
          unauthenticatedIdentity="nobody"
          -->

          <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag = "required" />

          </application-policy>




          mysql-ds.xml
          ----------------------------------------------------------

          <local-tx-datasource>
          <jndi-name>MySqlDS</jndi-name>
          <connection-url>jdbc:mysql://localhost:3306/PUBLIC</connection-url>
          <driver-class>com.mysql.jdbc.Driver</driver-class>
          <user-name>smsuser</user-name>
          smsuser
          <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name>
          <!-- should only be used on drivers after 3.22.1 with "ping" support
          <valid-connection-checker-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLValidConnectionChecker</valid-connection-checker-class-name>
          -->
          <!-- sql to call when connection is created
          <new-connection-sql>some arbitrary sql</new-connection-sql>
          -->
          <!-- sql to call on an existing pooled connection when it is obtained from pool - MySQLValidConnectionChecker is preferred for newer drivers
          <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
          -->
          <security-domain>MySqlDbRealm</security-domain>
          <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->

          <type-mapping>mySQL</type-mapping>

          </local-tx-datasource>



          server.xml
          -------------------------------------------------------------------




          <!-- A HTTP/1.1 Connector on port 8080 -->



          <!-- A AJP 1.3 Connector on port 8009 -->


          <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->





          <!-- The JAAS based authentication and authorization realm implementation
          that is compatible with the jboss 3.2.x realm implementation.
          - certificatePrincipal : the class name of the
          org.jboss.security.auth.certs.CertificatePrincipal impl
          used for mapping X509[] cert chains to a Princpal.
          - allRolesMode : how to handle an auth-constraint with a role-name=*,
          one of strict, authOnly, strictAuthOnly
          + strict = Use the strict servlet spec interpretation which requires
          that the user have one of the web-app/security-role/role-name
          + authOnly = Allow any authenticated user
          + strictAuthOnly = Allow any authenticated user only if there are no
          web-app/security-roles


          -->
          <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
          behavior of JBossSecurityMgrRealm, but overrides the authorization
          checks to use JACC permissions with the current java.security.Policy
          to determine authorized access.
          - allRolesMode : how to handle an auth-constraint with a role-name=*,
          one of strict, authOnly, strictAuthOnly
          + strict = Use the strict servlet spec interpretation which requires
          that the user have one of the web-app/security-role/role-name
          + authOnly = Allow any authenticated user
          + strictAuthOnly = Allow any authenticated user only if there are no
          web-app/security-roles
          -->







          <!-- -->





          <!-- Uncomment to check for unclosed connections and transaction terminated checks
          in servlets/jsps.
          Important: You need to uncomment the dependency on the CachedConnectionManager
          in META-INF/jboss-service.xml
          -->












          loginj.jsp :FORM AUTHENTICATION
          ----------------------------------------------------------------
          <%@ page language="java" contentType="text/html; charset=UTF-8"
          pageEncoding="UTF-8"%>
          <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


          <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
          <%

          response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
          response.setHeader("Pragma","no-cache"); //HTTP 1.0
          response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
          %>
          Login


          <form method="POST" action="<%= response.encodeURL("j_security_check") %>" >


          Username:



          Password:












          PostLoginFilter.java
          -------------------------------------
          package com.sms;

          import java.io.IOException;

          import javax.servlet.Filter;
          import javax.servlet.FilterChain;
          import javax.servlet.FilterConfig;
          import javax.servlet.ServletException;
          import javax.servlet.ServletRequest;
          import javax.servlet.ServletResponse;


          public class PostLoginFilter implements Filter {
          private FilterConfig config = null;

          public void init(FilterConfig config) throws ServletException {
          this.config = config;
          }

          public void destroy() {
          config = null;
          }
          public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain
          filterChain) throws IOException, ServletException {

          System.out.println("Before j_security_check");
          filterChain.doFilter(servletRequest, servletResponse);
          System.out.println("After j_security_check");

          }

          }

          What Is missing?
          Please Help