2 Replies Latest reply on Aug 4, 2005 4:11 AM by Debopam Poddar

    Problem with jboss-web.xml : role mapping doesn't work for m

    Dominique Jean-Prost Newbie

      I already posted the same message on the serlet newsgroup. I try on this too just in case.
      ***************
      I'm currently trying to migrate a webapp from weblogic8.1 to JBoss, and I'm meeting a problem I hadn't with WLS.

      My webapp has a <security-constraint> section with <auth-constraint>. I'm using Form authentication with DB Realm. My problem is that I can log in my webapp, but I get a 403 saying I'm not allowed to access ressources.

      I checked several things :
      - I can log in, ie login/password are checked against DB, so this part works. If I give a wrong password, I get <form-error-page> page.
      - I added a piece of code in my 403.jsp. I added 3 lines :
      0. System.out.println(request.getRemoteUser()); --> return djeanprost
      1. System.out.println(request.isUserInRole("collaborateur")); where collaborateur is a group of my group table. --> Return true, which is normal to me.
      2. System.out.println(request.isUserInRole("utilisateurCollaborateur")); --> false
      utilisateurCollaborateur is a role I specified in the <auth-constraint> section in the web.xml. I also have a <security-role> section where I declare the utilisateurCollaborateur role name. In my jboss-web.xml, I have a
      <security-role>
      <role-name>utilisateurCollaborateur</role-name>
      <principal-name>collaborateur</principal-name>
      <principal-name>djeanprost</principal-name>
      </security-role>

      where I map utilisateurCollaborateur to collaborateur and djeanprost. I added the principal name djeanprost to add a test : it does not work neither.

      I conclude the mapping from utilisateurCollaborateur to collaborateur is not done.

      Where am I wrong ?

      Regards,

        • 2. Re: Problem with jboss-web.xml : role mapping doesn't work f
          Debopam Poddar Newbie

          ? Add this following in the application?s web.xml file:
          <security-constraint>
          <web-resource-collection>
          <web-resource-name>Admin Console</web-resource-name>
          <url-pattern>/admin/abc.jsp</url-pattern>

          <http-method>POST</http-method>
          <http-method>GET</http-method>
          </web-resource-collection>
          <auth-constraint>
          <role-name>administrators</role-name>
          </auth-constraint>
          </security-constraint>

          Similarly for other groups/roles and url patterns attributes are added in web.xml

          ? Change login-config.xml in %JBOSS_HOME%/server/default/conf directory
          <application-policy name = "TEST_SECURITY_DOMAIN">

          <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag = "required">
          <module-option name="usersProperties">users.properties</module-option>
          <module-option name="rolesProperties">roles.properties</module-option>
          </login-module>

          </application-policy>
          (You can put any name in place of ?TEST_SECURITY_DOMAIN?)
          ? Change jboss-web.xml in %JBOSS_HOME%/server\default\deploy\<your application>\WEB-INF directory
          <jboss-web>
          <security-domain>java:/jaas/TEST_SECURITY_DOMAIN</security-domain>
          </jboss-web>
          ? Add users.properties in %JBOSS_HOME%/server/default/conf directory
          Add user name and password in the following format
          Username = password
          (if username:: abc & password::pqr add abc = pqr in users.properties)
          ? Add roles.properties in %JBOSS_HOME%/server/default/conf directory
          Add the user name and role in the following format
          Username = role (take it from web.xml)
          (If username:: abc & role::admin add abc = admin in roles.properties)
          ? Add this to web.xml
          <login-config>
          <!--<auth-method>BASIC</auth-method> -->
          <auth-method>FORM</auth-method>
          <form-login-config>
          <form-login-page>/admin/adminlogin.html</form-login-page>
          <form-error-page>/admin/adminlogin.html</form-error-page>
          </form-login-config>
          </login-config>

          (it tells server what is your admin login page)
          ? Add this to your admin login page