0 Replies Latest reply on May 9, 2005 11:29 AM by streagan2

    FORM based security

    streagan2
    streagan2 May 9, 2005 11:29 AM

      I am using jboss-4.0.0RC2. I am trying to use form-based declarative security. My web.xml is:

      <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
 version="2.4">

 <display-name>Certification</display-name>
 <description>no description</description>

 <servlet>
 <servlet-name>showlogs</servlet-name>
 <display-name>Show Logs</display-name>
 <description>no description</description>
 <servlet-class>com.onestraw.servlets.ShowLogs</servlet-class>
 </servlet>
 <servlet-mapping>
 <servlet-name>showlogs</servlet-name>
 <url-pattern>/sec/showlogs</url-pattern>
 </servlet-mapping>

 <security-role>
 <role-name>admin</role-name>
 </security-role>
 <security-role>
 <role-name>users</role-name>
 </security-role>
 <login-config>
 <auth-method>FORM</auth-method>
 <realm-name>certification</realm-name>
 <form-login-config>
 <form-login-page>/login.html</form-login-page>
 <form-error-page>/loginError.html</form-error-page>
 </form-login-config>
 </login-config>
 <security-constraint>
 <web-resources-collection>
 <web-resource-name>Show Log Records</web-resource-name>
 <url-pattern>/sec/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resources-collection>
 <auth-constraint>
 <role-name>admin</role-name>
 </auth-constraint>
 </security-constraint>
</web-app>

      My jboss-web.xml is: 
      <jboss-web>
 <!-- Uncomment the security-domain to enable security. You will
 need to edit the htmladaptor login configuration to setup the
 login modules used to authentication users.-->
 <security-domain>java:/jaas/certification</security-domain>

</jboss-web>

      I have added this to my login-config: 
      <application-policy name = "certification">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required" />
 </authentication>
 </application-policy>

      My user.properties has: 
      matthew=frodo
kaylene=bilbo

      and my roles.properties has: 
      matthew=admin,users
kaylene=users

      both files being in my classes dir in my war.
      I am expecting the server to present me with my login form page when I try to access /sec/showlogs but instead it lets me access that servlet without any authentication. Does anyone know what I am doing wrong?

      Thx,

      Matthew

      • 2342 Views
      • Tags: