0 Replies Latest reply on May 5, 2008 6:33 AM by Sam Mohamed

    Problem with JAAS and Declarative Security on JBOSS 4.2.1 GA

    Sam Mohamed Newbie

      Hello,

      I am trying to implement an integration between Declarative Security and JAAS on JBOSS 4.2.1 GA. I have specified in my web.xml file that all jsp files under the directory called "security" are protected and only accessible by the role "Admin". I also specified in the web.xml file that Authentication is done by Login FORM. I then created a configuration for the DatabaseSeverLoginModule in login-config.xml, and created a servlet that uses the LoginContext to authorize the user. The Login page's form's action points to this servlet rather than j_security_check. However, it doesn't seem to work, because I can't access the secure pages, even though I enter the correct username and password. Here are my files:

      *****web.xml*****

      <servlet>
      <servlet-name>loginservlet</servlet-name>
      <servlet-class>loginservlet</servlet-class>
      </servlet>
      <servlet-mapping>
      <servlet-name>loginservlet</servlet-name>
      <url-pattern>/loginservlet</url-pattern>
      </servlet-mapping>
      <session-config>
      <session-timeout>
      30
      </session-timeout>
      </session-config>
      <welcome-file-list>
      <welcome-file>index.jsp</welcome-file>
      </welcome-file-list>
      <security-constraint>
      <display-name>Constraint1</display-name>
      <web-resource-collection>
      <web-resource-name>Secure Pages</web-resource-name>
      <description>Secure Pages</description>
      <url-pattern>/security/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>HEAD</http-method>
      <http-method>PUT</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>TRACE</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <description>Admin</description>
      <role-name>Admin</role-name>
      </auth-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Test Realm</realm-name>
      <form-login-config>
      <form-login-page>/Login.jsp</form-login-page>
      <form-error-page>/Error.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      <description>Admin User
      </description>
      <role-name>Admin</role-name>
      </security-role>
      </web-app>


      *****login-conf.xml*****


      <application-policy name = "testDB">
      <authentication>
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "unauthenticatedIdentity">guest</module-option>
      <module-option name = "dsJndiName">java:/testDB</module-option>
      <module-option name = "principalsQuery">SELECT password from Principals where PrincipalID =?</module-option>
      <module-option name = "rolesQuery">SELECT Role, Rolegroup FROM roles WHERE principalid=?</module-option>
      </login-module>
      </authentication>
      </application-policy>


      ****jboss-web.xml****

      <jboss-web>
      <security-domain>java:/jaas/testDB</security-domain>
      <context-root>/testJBOSSsecurity</context-root>
      </jboss-web>


      ****Login.jsp*****


      <FORM name="logonForm" action="loginservlet" METHOD="POST">
      <TABLE width="100%" border="0" cellspacing="0" cellpadding=
      "1" bgcolor="white">
      <TABLE width="100%" border="0" cellspacing=
      "0" cellpadding="5">
      <TR align="center">
      <TD align="right" class="Prompt"></TD>
      <TD align="left">
      <INPUT type="text" name="j_username" maxlength=20>
      </TD>
      </TR>
      <TR align="center">
      <TD align="right" class="Prompt"> </TD>
      <TD align="left">
      <INPUT type="password"
      name="j_password" maxlength=20 >
      <BR>
      <TR align="center">
      <TD align="right" class="Prompt"> </TD>
      <TD align="left">
      <input type="submit" value="Login">


      ****loginservlet.java*****

      try {
      SecurityAssociationHandler handler = new
      SecurityAssociationHandler();
      Principal user = new SimplePrincipal(request.getParameter("j_username"));
      handler.setSecurityInfo(user, request.getParameter("j_password"));
      LoginContext loginContext = new LoginContext("testDB",(CallbackHandler)handler);
      loginContext.login();
      Subject subject = loginContext.getSubject();
      Set principals = subject.getPrincipals();
      principals.add(user);
      out.println(subject.toString());
      //response.sendRedirect("securepage.java");
      }


      So, those are my files.....In the database, I have two tables, one table called Principals and that has the username semsem and password password1, and the other table is called roles, which has principleid = semsem, role = Admin, and rolegroup = AdminGroup. What I am trying to do, is integrate JAAS and Declarative Security, so that I don't have to programatically declare which pages are accessed by which type of user. However, When I reach the Login Form and enter the correct username and password, nothing happens, which means that after I enter the correct username and password, I am presented with the login form again....I can verify that the servlet code is correct, because I can directly visit the login page with out trying to access it by requesting a secure page, and I enter the correct username and password, and I get a print line of the subject's principals as they are in the database from the line out.println(subject.toString());, that print out is: Subject: Principal: semsem Principal: Admin(members:Admin)

      Your help is very appreciated
      Thank You

      Sam