3 Replies Latest reply on Sep 12, 2002 8:59 AM by juha

Jboss-Tomcat Form Based Authentication

erocha Sep 10, 2002 4:01 PM

I am new to Jboss and been trying to setup security Realms for Tomcat (Catalina) and Jboss. I have follow some of the howto's on line. It seems to work in the sense that it will display the login page. Once the login page is displayed and data entered it takes me straight to the requested page without validating the username and password.

Here is what I've done so far:

1. added to $JBOSS_HOME/catalina/config/server.xml
to defined a Realm that uses a postgress Database. The driver is in $JBOSS_HOME/lib
-------------

--------------

2. I have the following war file (name=auth.war) and I deploy it by copying it to $JBOSS_HOME/server/default/deploy directory:
2.1 Login.html
--------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

Tryplec

<h1>Welcome to tryplec ! </h1>

User Name:

Password:

<input type=submit value="Login">

---------------

2.2 failedLogin.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

Tryplec

<h1>Welcome to tryplec ! </h1>
FAILED

User Name:

Password:

<input type=submit value="Login">

--------------
2.3 foo.html just a test file to test access
---------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

YEY!

<h1>Welcome to tryplec ! </h1>
GOT IN

------------------------

2.4 WEB-INF/web.xml
-------------
?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>



<security-constraint>
<display-name>Secured Tryplec</display-name>
<web-resource-collection>
<web-resource-name>TryplecResource</web-resource-name>
Accessible by authorized users
<url-pattern>/*</url-pattern>
<url-pattern>/auth/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
These are the roles who have access
<role-name>MA</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Authorized Tryplec</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/failedLogin.html</form-error-page>
</form-login-config>
</login-config>
</web-app>
----------------------------

1. I am missing any other config files?
2. Why does it allowed me to access any secured files without validating?
3. I don't seem to find any logs to figure out when it even tries to access database

Any help will be much appreciated

Thanks

Efrain
Just a noob developer

1. Re: Jboss-Tomcat Form Based Authentication

juha Sep 11, 2002 6:31 AM (in response to erocha)

See jboss-web.xml, there you can set up the security domain that is used by the JBoss JAAS security manager. So for instance set up:

<security-domain>java:/jaas/mywebsec</security-domain>

Then you need to config the domain you define in jboss-web.xml to use DatabaseLoginModule (JAAS login module that comes with JBoss) in login-config.xml in the servers conf/ directory:

<application-policy name="mywebsec">

<login-module code="org.jboss.security.auth.spi.DatabaseLoginModule" flag =" required" />
<module-option name="dsJndiName">java:/MyDatabaseDS</module-option>
<module-option name="principalsQuery">select passwd from Users username where username=?</module-option>
<module-option name="rolesQuery">select userRoles, 'Roles' from UserRoles where username=?</module-option>
</login-module>

</application-policy>

And config that to use your database to do the authentication. DB login module assumes a certain table structure by default, you can set your own queries by setting properties for the login module.

See the 'Getting Started' guide for more details.
Actions
2. Re: Jboss-Tomcat Form Based Authentication

erocha Sep 11, 2002 12:19 PM (in response to erocha)

Juha,

Thank you for your response. This helped a lot. I have more stupid questions if you don't mind. I wanted tomcat to do authentication on the jsp's and html (front end) only. I believe the back end is somewhat secured right now and I wanted to concentrate on building a prototype without having to get into JAAS. I setup up a Realm for tomcat but I have no clue how to specify in the security-domain clause. If I leave it empty it somewhat works. Do I really need to go and look into the JAAS configuration or can I just specify somehow the Tomcat Realm into the security-domain clause?

Thanks

Efrain
Actions
3. Re: Jboss-Tomcat Form Based Authentication

juha Sep 12, 2002 8:59 AM (in response to erocha)

I only know how to secure web tier using the JBoss security manager (which is JAAS based) as explained in the 'Getting Started' guide and on all of JBoss documentation. I have no idea how Tomcat or its security works, or even if our web integration supports Tomcat's own security setup. You'll have to ask on the security forums to find out.

-- Juha
Actions

Go to original post