0 Replies Latest reply on May 9, 2005 11:29 AM by Matthew Shalorne

    FORM based security

    Matthew Shalorne Newbie

      I am using jboss-4.0.0RC2. I am trying to use form-based declarative security. My web.xml is:

      <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
       version="2.4">
      
       <display-name>Certification</display-name>
       <description>no description</description>
      
       <servlet>
       <servlet-name>showlogs</servlet-name>
       <display-name>Show Logs</display-name>
       <description>no description</description>
       <servlet-class>com.onestraw.servlets.ShowLogs</servlet-class>
       </servlet>
       <servlet-mapping>
       <servlet-name>showlogs</servlet-name>
       <url-pattern>/sec/showlogs</url-pattern>
       </servlet-mapping>
      
       <security-role>
       <role-name>admin</role-name>
       </security-role>
       <security-role>
       <role-name>users</role-name>
       </security-role>
       <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>certification</realm-name>
       <form-login-config>
       <form-login-page>/login.html</form-login-page>
       <form-error-page>/loginError.html</form-error-page>
       </form-login-config>
       </login-config>
       <security-constraint>
       <web-resources-collection>
       <web-resource-name>Show Log Records</web-resource-name>
       <url-pattern>/sec/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resources-collection>
       <auth-constraint>
       <role-name>admin</role-name>
       </auth-constraint>
       </security-constraint>
      </web-app>

      My jboss-web.xml is:
      <jboss-web>
       <!-- Uncomment the security-domain to enable security. You will
       need to edit the htmladaptor login configuration to setup the
       login modules used to authentication users.-->
       <security-domain>java:/jaas/certification</security-domain>
      
      </jboss-web>
      

      I have added this to my login-config:
      <application-policy name = "certification">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required" />
       </authentication>
       </application-policy>

      My user.properties has:
      matthew=frodo
      kaylene=bilbo

      and my roles.properties has:
      matthew=admin,users
      kaylene=users

      both files being in my classes dir in my war.
      I am expecting the server to present me with my login form page when I try to access /sec/showlogs but instead it lets me access that servlet without any authentication. Does anyone know what I am doing wrong?

      Thx,

      Matthew