I'm using jboss-4.0.5.GA installed with the ejb3 "flavor". I'm using the default install.
Playing around with securing some web content. I created a login.html page for now that has the proper fields: j_username & j_password. Its post action references j_security_check.
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>java:/jaas/SPDB</security-domain> </jboss-web>
<web-app> <security-constraint> <web-resource-collection> <web-resource-name>All resources</web-resource-name> <description>Protects all resources</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>MyUser</role-name> </auth-constraint> </security-constraint> <security-role> <description>My User Role</description> <role-name>MyUser</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <realm-name>SPDB</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> </login-config> </web-app>
I've copied one of the other application-policy sections from login-config.xml trying to get some sort of response out of JBoss in the log files. This is what I've added in to login-config.xml right now (in $JBOSS_HOME/server/default/conf):
<application-policy name = "SPDB"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/polarDS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </application-policy>
Here is what happens: when I hit the URL of a secured jsp page, the login page comes up as it should. When I type in the user name, pw and hit "login", I immediately get the error page.
The JBoss console and log files don't even show a single message when I press "login" - let alone showing an entry that anything went wrong..
In fact, the startup logs don't even mention the new application-policy (called "SPDB"); they should - shouldn't they?
I'm left thinking that perhaps JAAS isn't even turned on. Being a newbie, I've poured through the documentation and can't find anything on "turning on" JAAS security - it appears to be turned on by default (am I wrong there?).
I expect I'm missing something simple, and I would appreciate any pointers that you can provide...