1 Reply Latest reply on Jul 21, 2009 1:55 AM by Christian R

    JAAS Form Authentication always failing

    Doozy Dooze Newbie

      I have a small web application (just a tutorial) that I want to secure with JAAS on Jboss but it seems I ha™ve missed something some where so the authentication is always failing sending me to the login-error.jsp page I have created and mapped. See cod below.

      My environment:
      Jboss 5.0.0GA, Eclipse Ganymede, MySql 5.1.30-community, Windows Vista

      A. The Code

      1. database

      Principals table:
      CREATE TABLE Principals (
      PrincipalID VARCHAR (64) PRIMARY KEY,
      Password VARCHAR (64)
      )
      Roles Table:
      CREATE TABLE Roles (
      PrincipalId varchar(255) NOT NULL default '',
      Role varchar(255) NOT NULL default '',
      RoleGroup varchar(255) NOT NULL default '',
      PRIMARY KEY(PrincipalId)
      )



      2. login-config.xml


      <application-policy name="formbasedPolicyDomainDb">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag="required">
      <module-option name="dsJndiName">java:/mysqlDs</module-option>
      <module-option name="principalsQuery">
      select Password from Principals where PrincipalID=?</module-option>
      <module-option name="rolesQuery">
      select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalId=?</module-option>
      </login-module>

      </application-policy>




      3. jboss-web.xml

      <jboss-web>
      <security-domain>java:/jaas/formbasedPolicyDomainDb</security-domain>

      <resource-ref>
      <res-ref-name>jdbc/mysqlDs</res-ref-name>
      <jndi-name>java:/jdbc/mysqlDs</jndi-name>
      </resource-ref>
      </jboss-web>


      4. web.xml

      <resource-ref>
      Mysql Datasource mapping
      <res-ref-name>jdbc/mysqlDs</res-ref-name>
      <res-type>javax.sql.DataSource</res-type>
      <res-auth>Container</res-auth>
      </resource-ref>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted to Secure role</web-resource-name>
      Declarative security
      <url-pattern>/admin/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Admin</role-name>
      </auth-constraint>
      </security-constraint>


      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Restricted to Secure role</web-resource-name>
      Declarative security
      <url-pattern>/client/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Client</role-name>
      </auth-constraint>
      </security-constraint>

      <security-role>
      <role-name>Admin</role-name>
      </security-role>
      <security-role>
      <role-name>User</role-name>
      </security-role>
      <security-role>
      <role-name>Client</role-name>
      </security-role>


      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login-error.jsp</form-error-page>
      </form-login-config>
      </login-config>


      Note that I have the data source with jndi name jdbc/mysqlDs mapped in Mysql-ds.xml deployed in Jboss_home/../deploy directory




      5. Index.jsp
      ('<' intentionally removed from a href to display the code rather than an actual link)

      a href="<%= request.getContextPath() %>/admin/admin.jsp">Admin Page


      a href="<%= request.getContextPath() %>/client/client.jsp">Client Page


      a href="<%= request.getContextPath() %>/logout.jsp">Log out


      When user try to go to either admin.jsp or client.jsp, they are correctly redirected to login.jsp if they are not logged in.





      6. Login.jsp

      (close and opened tags intentionally removed to display the code rather than the actual html page)

      html
      head title login page title head
      body
      form method="POST" action="j_security_check"
      Username: input type="text" name="j_username"
      Password: <input type="password" name="j_password"
      input type="submit" value="Login"
      form
      body
      html



      The issue:

      The authentication does not work, it always sends me to login-error.jsp mapped in web.xml

      I dont know what j_security_check is and I cant seem to tie it in with my login module DatabaseServerLoginModule defined in login-config.xml

      I have seen elsewhere that I may need to write a call back handler but how do I tie it in with j_security_check and my login module?

      Please help:

      Here is an output from my Jboss log I have enabled security logging so I can see the username being authenticated. user3 below in the log has the role called Client in the Roles table and this Client role is maped correctly in web.xml
      if you wish to see my war file, please email me at dooze77 at gmail dot com

      2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> false
      2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> true
      2009-07-18 06:57:07,180 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> false
      2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) Checking constraint 'SecurityConstraint[Restricted to Secure role]' against GET /client/client.jsp --> true
      2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Calling hasUserDataPermission()
      2009-07-18 06:57:07,181 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-1) User data constraint has no restrictions
      2009-07-18 06:57:07,184 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Calling authenticate()
      2009-07-18 06:57:07,184 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1) Save request in session '1A8034E59C5FF30260B6699B53356B69'
      2009-07-18 06:57:07,205 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/JAASFormAuth].[jsp]] (http-127.0.0.1-8080-1) Disabling the response for futher output
      2009-07-18 06:57:07,205 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Failed authenticate() test
      2009-07-18 06:57:16,864 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-1) Requested cookie session id is 1A8034E59C5FF30260B6699B53356B69
      2009-07-18 06:57:16,865 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Security checking request POST /JAASFormAuth/client/j_security_check
      2009-07-18 06:57:16,866 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-1) Authenticating username 'user3'
      2009-07-18 06:57:16,873 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/JAASFormAuth].[jsp]] (http-127.0.0.1-8080-1) Disabling the response for futher output
      2009-07-18 06:57:16,873 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-1) Failed authenticate() test ??/JAASFormAuth/client/j_security_check

      2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1247925469443 sessioncount 0
      2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
      2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1247925469443 sessioncount 0
      2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
      2009-07-18 06:57:49,443 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1247925469443 sessioncount 0