0 Replies Latest reply on May 5, 2008 6:33 AM by Sam Mohamed

    Problem with JAAS and Declarative Security on JBOSS 4.2.1 GA

    Sam Mohamed Newbie


      I am trying to implement an integration between Declarative Security and JAAS on JBOSS 4.2.1 GA. I have specified in my web.xml file that all jsp files under the directory called "security" are protected and only accessible by the role "Admin". I also specified in the web.xml file that Authentication is done by Login FORM. I then created a configuration for the DatabaseSeverLoginModule in login-config.xml, and created a servlet that uses the LoginContext to authorize the user. The Login page's form's action points to this servlet rather than j_security_check. However, it doesn't seem to work, because I can't access the secure pages, even though I enter the correct username and password. Here are my files:


      <web-resource-name>Secure Pages</web-resource-name>
      <description>Secure Pages</description>
      <realm-name>Test Realm</realm-name>
      <description>Admin User


      <application-policy name = "testDB">
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "dsJndiName">java:/testDB</module-option>
      <module-option name = "principalsQuery">SELECT password from Principals where PrincipalID =?</module-option>
      <module-option name = "rolesQuery">SELECT Role, Rolegroup FROM roles WHERE principalid=?</module-option>




      <FORM name="logonForm" action="loginservlet" METHOD="POST">
      <TABLE width="100%" border="0" cellspacing="0" cellpadding=
      "1" bgcolor="white">
      <TABLE width="100%" border="0" cellspacing=
      "0" cellpadding="5">
      <TR align="center">
      <TD align="right" class="Prompt"></TD>
      <TD align="left">
      <INPUT type="text" name="j_username" maxlength=20>
      <TR align="center">
      <TD align="right" class="Prompt"> </TD>
      <TD align="left">
      <INPUT type="password"
      name="j_password" maxlength=20 >
      <TR align="center">
      <TD align="right" class="Prompt"> </TD>
      <TD align="left">
      <input type="submit" value="Login">


      try {
      SecurityAssociationHandler handler = new
      Principal user = new SimplePrincipal(request.getParameter("j_username"));
      handler.setSecurityInfo(user, request.getParameter("j_password"));
      LoginContext loginContext = new LoginContext("testDB",(CallbackHandler)handler);
      Subject subject = loginContext.getSubject();
      Set principals = subject.getPrincipals();

      So, those are my files.....In the database, I have two tables, one table called Principals and that has the username semsem and password password1, and the other table is called roles, which has principleid = semsem, role = Admin, and rolegroup = AdminGroup. What I am trying to do, is integrate JAAS and Declarative Security, so that I don't have to programatically declare which pages are accessed by which type of user. However, When I reach the Login Form and enter the correct username and password, nothing happens, which means that after I enter the correct username and password, I am presented with the login form again....I can verify that the servlet code is correct, because I can directly visit the login page with out trying to access it by requesting a secure page, and I enter the correct username and password, and I get a print line of the subject's principals as they are in the database from the line out.println(subject.toString());, that print out is: Subject: Principal: semsem Principal: Admin(members:Admin)

      Your help is very appreciated
      Thank You