3 Replies Latest reply on Feb 13, 2003 1:53 PM by Steve Lewis

    Simple security question

    Steve Lewis Expert

      I have a little web app that tests roles/users logging in. It works on Tomcat4, but when I bring it over to JBoss/Jetty or JBoss/Tomcat, it accepts any user!

      One thing I did change was the url pattern. It was the standard tomcat url pattern, but JBoss wasn't mapping that correctly.

      <url-pattern>/*</url-pattern>

      Is there some trick I don't know about? I have users.properties and roles.properties but it just seems to ignore my security setup.

      Steve

        • 1. Re: Simple security question
          Steve Lewis Expert

          Okay, I've uncommented the security for jmx-console, but j_security_check will accept any user and password and let me right into the jmx-console as well.

          I have users.properties and roles.properties in conf, but it doesn't seem to be picking it up. There's something wrong with my security setup. Below is the XML for the
          "other" realm.

          <application-policy name = "other">

          <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag = "required">
          <module-option name="usersProperties">users.properties</module-option>
          <module-option name="rolesProperties">roles.properties</module-option>

          </login-module>

          </application-policy>

          • 2. Re: Simple security question
            Juha Lindfors Master

            try dropping users.properties & roles.properties into server/deploy/jmx-console.war/WEB-INF/classes and see if that makes a difference.

            • 3. Re: Simple security question
              Steve Lewis Expert

              I figured it out. I didn't have my jboss-web.xml in there. I had the security settings in jmx-console commented out. Once I did that, it worked! I must remember that containers need to know things. They can't just read my mind.

              Steve