3 Replies Latest reply on Sep 12, 2002 8:59 AM by Juha Lindfors

    Jboss-Tomcat Form Based Authentication

    Efrain Rocha Newbie

      I am new to Jboss and been trying to setup security Realms for Tomcat (Catalina) and Jboss. I have follow some of the howto's on line. It seems to work in the sense that it will display the login page. Once the login page is displayed and data entered it takes me straight to the requested page without validating the username and password.

      Here is what I've done so far:

      1. added to $JBOSS_HOME/catalina/config/server.xml
      to defined a Realm that uses a postgress Database. The driver is in $JBOSS_HOME/lib
      -------------

      --------------

      2. I have the following war file (name=auth.war) and I deploy it by copying it to $JBOSS_HOME/server/default/deploy directory:
      2.1 Login.html
      --------------
      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


      Tryplec


      <h1>Welcome to tryplec ! </h1>


      User Name:


      Password:


      <input type=submit value="Login">




      ---------------

      2.2 failedLogin.html
      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


      Tryplec


      <h1>Welcome to tryplec ! </h1>
      FAILED


      User Name:


      Password:


      <input type=submit value="Login">




      --------------
      2.3 foo.html just a test file to test access
      ---------------
      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


      YEY!


      <h1>Welcome to tryplec ! </h1>
      GOT IN


      ------------------------

      2.4 WEB-INF/web.xml
      -------------
      ?xml version="1.0" encoding="ISO-8859-1"?>

      <!DOCTYPE web-app
      PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
      "http://java.sun.com/dtd/web-app_2_3.dtd">

      <web-app>
      <!-- Default login configuration uses form-based authentication -->
      <!--
      <session-config>
      <session-timeout>720</session-timeout>
      </session-config>
      -->

      <security-constraint>
      <display-name>Secured Tryplec</display-name>
      <web-resource-collection>
      <web-resource-name>TryplecResource</web-resource-name>
      Accessible by authorized users
      <url-pattern>/*</url-pattern>
      <url-pattern>/auth/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      <auth-constraint>
      These are the roles who have access
      <role-name>MA</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Authorized Tryplec</realm-name>
      <form-login-config>
      <form-login-page>/login.html</form-login-page>
      <form-error-page>/failedLogin.html</form-error-page>
      </form-login-config>
      </login-config>
      </web-app>
      ----------------------------



      1. I am missing any other config files?
      2. Why does it allowed me to access any secured files without validating?
      3. I don't seem to find any logs to figure out when it even tries to access database


      Any help will be much appreciated

      Thanks

      Efrain
      Just a noob developer


        • 1. Re: Jboss-Tomcat Form Based Authentication
          Juha Lindfors Master

          See jboss-web.xml, there you can set up the security domain that is used by the JBoss JAAS security manager. So for instance set up:

          <security-domain>java:/jaas/mywebsec</security-domain>

          Then you need to config the domain you define in jboss-web.xml to use DatabaseLoginModule (JAAS login module that comes with JBoss) in login-config.xml in the servers conf/ directory:

          <application-policy name="mywebsec">

          <login-module code="org.jboss.security.auth.spi.DatabaseLoginModule" flag =" required" />
          <module-option name="dsJndiName">java:/MyDatabaseDS</module-option>
          <module-option name="principalsQuery">select passwd from Users username where username=?</module-option>
          <module-option name="rolesQuery">select userRoles, 'Roles' from UserRoles where username=?</module-option>
          </login-module>

          </application-policy>

          And config that to use your database to do the authentication. DB login module assumes a certain table structure by default, you can set your own queries by setting properties for the login module.

          See the 'Getting Started' guide for more details.

          • 2. Re: Jboss-Tomcat Form Based Authentication
            Efrain Rocha Newbie

            Juha,

            Thank you for your response. This helped a lot. I have more stupid questions if you don't mind. I wanted tomcat to do authentication on the jsp's and html (front end) only. I believe the back end is somewhat secured right now and I wanted to concentrate on building a prototype without having to get into JAAS. I setup up a Realm for tomcat but I have no clue how to specify in the security-domain clause. If I leave it empty it somewhat works. Do I really need to go and look into the JAAS configuration or can I just specify somehow the Tomcat Realm into the security-domain clause?

            Thanks

            Efrain

            • 3. Re: Jboss-Tomcat Form Based Authentication
              Juha Lindfors Master

              I only know how to secure web tier using the JBoss security manager (which is JAAS based) as explained in the 'Getting Started' guide and on all of JBoss documentation. I have no idea how Tomcat or its security works, or even if our web integration supports Tomcat's own security setup. You'll have to ask on the security forums to find out.

              -- Juha