FORM based security
streagan2 May 9, 2005 11:29 AMI am using jboss-4.0.0RC2. I am trying to use form-based declarative security. My web.xml is:
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <display-name>Certification</display-name> <description>no description</description> <servlet> <servlet-name>showlogs</servlet-name> <display-name>Show Logs</display-name> <description>no description</description> <servlet-class>com.onestraw.servlets.ShowLogs</servlet-class> </servlet> <servlet-mapping> <servlet-name>showlogs</servlet-name> <url-pattern>/sec/showlogs</url-pattern> </servlet-mapping> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>users</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <realm-name>certification</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/loginError.html</form-error-page> </form-login-config> </login-config> <security-constraint> <web-resources-collection> <web-resource-name>Show Log Records</web-resource-name> <url-pattern>/sec/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resources-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> </web-app>
My jboss-web.xml is:
<jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users.--> <security-domain>java:/jaas/certification</security-domain> </jboss-web>
I have added this to my login-config:
<application-policy name = "certification"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> </authentication> </application-policy>
My user.properties has:
matthew=frodo kaylene=bilbo
and my roles.properties has:
matthew=admin,users kaylene=users
both files being in my classes dir in my war.
I am expecting the server to present me with my login form page when I try to access /sec/showlogs but instead it lets me access that servlet without any authentication. Does anyone know what I am doing wrong?
Thx,
Matthew