2 Replies Latest reply on Mar 17, 2009 11:40 AM by wolfgangknauf

    authentication with no authorization problem

    bjpenn
    bjpenn Mar 17, 2009 7:32 AM

      Well my problem is my application can authenticate but the authorization is not correct, cause i get the jsp page wich tells i cant acces to the jsp due to no having authorization. i am using jboss 5.0.1GA jdk6.So this is the steps i made:

      1-First i changed my jboss-web.xml :

      <?xml version="1.0" encoding="UTF-8" ?>
- <jboss-web>
 <security-domain>java:/jaas/smsJAAS</security-domain>
 <context-root>/jtk_SENIC</context-root>
 </jboss-web>


      2-i set another application-policy in the file /server/default/conf/login-config.xml: 


      <?xml version="1.0" ?>
- <!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.

The outline of the application-policy is:
<application-policy name="security-domain-name">
 <authentication>
 <login-module code="login.module1.class.name" flag="control_flag">
 <module-option name = "option1-name">option1-value</module-option>
 <module-option name = "option2-name">option2-value</module-option>
 ...
 </login-module>

 <login-module code="login.module2.class.name" flag="control_flag">
 ...
 </login-module>
 ...
 </authentication>
</application-policy>

$Id: login-config.xml 76444 2008-07-29 23:50:53Z sguilhen@redhat.com $
$Revision: 76444 $

 -->
- <policy>
- <!-- Used by clients within the application server VM such as
 mbeans and servlets that access EJBs.

 -->
- <application-policy name="smsJAAS">
- <authentication>
- <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="dsJndiName">java:/smsactjndi</module-option>
 <module-option name="principalsQuery">SELECT contrasena FROM usuarios_v WHERE nomusuario=?</module-option>
 <module-option name="rolesQuery">SELECT nomgrupous, 'Roles' FROM usuarios_v WHERE nomusuario=?</module-option>
 </login-module>
 </authentication>
 </application-policy>
- <application-policy name="client-login">
- <authentication>
- <login-module code="org.jboss.security.ClientLoginModule" flag="required">
- <!-- Any existing security context will be restored on logout
 -->
 <module-option name="restore-login-identity">true</module-option>
 </login-module>
 </authentication>
 </application-policy>
- <!-- Security domains for testing new jca framework
 -->
- <application-policy name="HsqlDbRealm">
- <authentication>
- <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
 <module-option name="principal">sa</module-option>
 <module-option name="userName">sa</module-option>
 <module-option name="password" />
 <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
 </login-module>
 </authentication>
 </application-policy>
- <application-policy name="JmsXARealm">
- <authentication>
- <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
 <module-option name="principal">guest</module-option>
 <module-option name="userName">guest</module-option>
 <module-option name="password">guest</module-option>
 <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
 </login-module>
 </authentication>
 </application-policy>
- <!-- A template configuration for the jmx-console web application. This
 defaults to the UsersRolesLoginModule the same as other and should be
 changed to a stronger authentication mechanism as required.

 -->
- <application-policy name="jmx-console">
- <authentication>
- <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
 <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
 <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>
- <!-- A template configuration for the web-console web application. This
 defaults to the UsersRolesLoginModule the same as other and should be
 changed to a stronger authentication mechanism as required.

 -->
- <application-policy name="web-console">
- <authentication>
- <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
 <module-option name="usersProperties">web-console-users.properties</module-option>
 <module-option name="rolesProperties">web-console-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>
- <!-- A template configuration for the JBossWS security domain.
 This defaults to the UsersRolesLoginModule the same as other and should be
 changed to a stronger authentication mechanism as required.

 -->
- <application-policy name="JBossWS">
- <authentication>
- <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
 <module-option name="usersProperties">props/jbossws-users.properties</module-option>
 <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
 <module-option name="unauthenticatedIdentity">anonymous</module-option>
 </login-module>
 </authentication>
 </application-policy>
- <!-- The default login configuration used by any security domain that
 does not have a application-policy entry with a matching name

 -->
- <application-policy name="other">
- <!-- A simple server login module, which can be used when the number
 of users is relatively small. It uses two properties files:
 users.properties, which holds users (key) and their password (value).
 roles.properties, which holds users (key) and a comma-separated list of
 their roles (value).
 The unauthenticatedIdentity property defines the name of the principal
 that will be used when a null username and password are presented as is
 the case for an unuathenticated web client or MDB. If you want to
 allow such users to be authenticated add the property, e.g.,
 unauthenticatedIdentity="nobody"

 -->
- <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />
 </authentication>
 </application-policy>
 </policy>



      3- configuring my web xml with security constraints: 

      <?xml version="1.0" encoding="UTF-8" ?>
- <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
- <!-- Nombre de la unidad de persistencia para JToolkitFW
 -->
- <context-param>
 <param-name>com.sun.faces.verifyObjects</param-name>
 <param-value>false</param-value>
 </context-param>
- <context-param>
 <param-name>com.sun.faces.validateXml</param-name>
 <param-value>true</param-value>
 </context-param>
- <context-param>
 <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
 <param-value>client</param-value>
 </context-param>
- <context-param>
 <param-name>com.sun.faces.verifyObjects</param-name>
 <param-value>false</param-value>
 </context-param>
- <context-param>
 <param-name>com.sun.faces.validateXml</param-name>
 <param-value>true</param-value>
 </context-param>
- <context-param>
 <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
 <param-value>client</param-value>
 </context-param>
- <env-entry>
 <env-entry-name>jndi_pool</env-entry-name>
 <env-entry-type>java.lang.String</env-entry-type>
 <env-entry-value>jndi/smsact</env-entry-value>
 </env-entry>
- <servlet>
 <servlet-name>Faces Servlet</servlet-name>
 <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
 <load-on-startup>1</load-on-startup>
- <security-role-ref>
 <description />
 <role-name>suscriptores</role-name>
 <role-link>suscriptores</role-link>
 </security-role-ref>
- <security-role-ref>
 <description />
 <role-name>promotores</role-name>
 <role-link>promotores</role-link>
 </security-role-ref>
- <security-role-ref>
 <description />
 <role-name>mensajes</role-name>
 <role-link>mensajes</role-link>
 </security-role-ref>
- <security-role-ref>
 <description />
 <role-name>categorias</role-name>
 <role-link>categorias</role-link>
 </security-role-ref>
- <security-role-ref>
 <description />
 <role-name>envio_directo</role-name>
 <role-link>envio_directo</role-link>
 </security-role-ref>
- <security-role-ref>
 <description />
 <role-name>perfiles</role-name>
 <role-link>perfiles</role-link>
 </security-role-ref>
- <security-role-ref>
 <description>adming</description>
 <role-name>adming</role-name>
 <role-link>adming</role-link>
 </security-role-ref>
 </servlet>
- <!-- #Security constraints
 -->
- <error-page>
 <error-code>403</error-code>
 <location>/error/acceso_denegado.jsp</location>
 </error-page>
- <security-constraint>
 <display-name>principal</display-name>
- <web-resource-collection>
 <web-resource-name>principal</web-resource-name>
 <description />
 <url-pattern>/faces/principal.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <role-name>mensajes</role-name>
 <role-name>suscriptores</role-name>
 <role-name>promotores</role-name>
 <role-name>categorias</role-name>
 <role-name>envio_directo</role-name>
 <role-name>perfiles</role-name>
 <role-name>adming</role-name>
 </auth-constraint>
 </security-constraint>
- <!-- #Roles
 -->
- <security-constraint>
 <display-name>grabador de suscriptores</display-name>
- <web-resource-collection>
 <web-resource-name>categ_susc</web-resource-name>
 <description />
 <url-pattern>/faces/categ_susc.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <web-resource-collection>
 <web-resource-name>suscriptores</web-resource-name>
 <description />
 <url-pattern>/faces/suscriptores.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <description />
 <role-name>suscriptores</role-name>
 </auth-constraint>
 </security-constraint>
- <security-constraint>
 <display-name>grabador de mensajes</display-name>
- <web-resource-collection>
 <web-resource-name>mensajes</web-resource-name>
 <description />
 <url-pattern>/faces/mensajes.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <description />
 <role-name>mensajes</role-name>
 </auth-constraint>
 </security-constraint>
- <security-constraint>
 <display-name>envio directo</display-name>
- <web-resource-collection>
 <web-resource-name>envio_directo</web-resource-name>
 <description />
 <url-pattern>/faces/envio_directo.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <description />
 <role-name>envio_directo</role-name>
 </auth-constraint>
 </security-constraint>
- <security-constraint>
 <display-name>promotores</display-name>
- <web-resource-collection>
 <web-resource-name>promotores</web-resource-name>
 <description />
 <url-pattern>/faces/promotores.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <description />
 <role-name>promotores</role-name>
 </auth-constraint>
 </security-constraint>
- <security-constraint>
 <display-name>categorias</display-name>
- <web-resource-collection>
 <web-resource-name>categorias</web-resource-name>
 <description />
 <url-pattern>/faces/categorias.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <description />
 <role-name>categorias</role-name>
 </auth-constraint>
 </security-constraint>
- <security-constraint>
 <display-name>perfiles</display-name>
- <web-resource-collection>
 <web-resource-name>perfiles</web-resource-name>
 <description />
 <url-pattern>/faces/grupos.jsp</url-pattern>
 <url-pattern>/faces/idiomas.jsp</url-pattern>
 <url-pattern>/faces/entidades.jsp</url-pattern>
 <url-pattern>/faces/sol_informacion.jsp</url-pattern>
 <url-pattern>/faces/usuarios.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <description />
 <role-name>perfiles</role-name>
 </auth-constraint>
 </security-constraint>
- <security-constraint>
 <display-name>adming</display-name>
- <web-resource-collection>
 <web-resource-name>entidades</web-resource-name>
 <description />
 <url-pattern>/faces/entidadest.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <web-resource-collection>
 <web-resource-name>usuariost</web-resource-name>
 <description />
 <url-pattern>/faces/usuariost.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 <http-method>HEAD</http-method>
 <http-method>PUT</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
- <auth-constraint>
 <description />
 <role-name>adming</role-name>
 </auth-constraint>
 </security-constraint>
- <login-config>
 <auth-method>FORM</auth-method>
 <realm-name>smsJAAS</realm-name>
- <form-login-config>
 <form-login-page>/login/login.jsp</form-login-page>
 <form-error-page>/login/login.jsp?error=true</form-error-page>
 </form-login-config>
 </login-config>
- <servlet-mapping>
 <servlet-name>Faces Servlet</servlet-name>
 <url-pattern>/faces/*</url-pattern>
 </servlet-mapping>
- <session-config>
 <session-timeout>30</session-timeout>
 </session-config>
- <welcome-file-list>
 <welcome-file>faces/principal.jsp</welcome-file>
 </welcome-file-list>
- <security-role>
 <description>Administracion de mensajes</description>
 <role-name>mensajes</role-name>
 </security-role>
- <security-role>
 <description>Administracion de suscriptores</description>
 <role-name>suscriptores</role-name>
 </security-role>
- <security-role>
 <description>Administracion de los promotores</description>
 <role-name>promotores</role-name>
 </security-role>
- <security-role>
 <description>Administracion de las categorias</description>
 <role-name>categorias</role-name>
 </security-role>
- <security-role>
 <description>Acceso al envio directo</description>
 <role-name>envio_directo</role-name>
 </security-role>
- <security-role>
 <description>Acceso a la administracion de perfiles</description>
 <role-name>perfiles</role-name>
 </security-role>
- <security-role>
 <description>Opciones de administrador general</description>
 <role-name>adming</role-name>
 </security-role>
 </web-app>


      • 1396 Views
      • Tags: