I am trying to set up authentication using a database. Here is what I have done so far:
1) I have two tables in my database, one for the user_name and password, and another for roles. The database tables look like this:
table name: principals
column: principal_id VARCHAR(64) primary key
column: password VARCHAR(64)
table name: roles
column: principal_id VARCHAR(64)
column: user_role VARCHAR(64)
column: role_group VARCHAR(64)
2) I have added an entry in $JBOSS/server/default/conf/login-config.xml to declare an application policy which uses a DatabaseServerLoginModule. In this entry I have specified the SQl to be used by the module for selecting the password and role, following the example in the JBoss Getting Started Guide (p. 57):
<!-- added for HIM Server security --> <application-policy name="HIM-client-login"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/OracleDS</module-option> <module-option name="principalsQuery">select password from principals where principal_id=?</module-option> <module-option name="principalsQuery">select user_role,'Roles' from roles where principal_id=?</module-option> </login-module> </authentication> </application-policy>
3) I have added a security domain entry in the jboss-web.xml file:
<!-- All secure web resources will use this security domain --> <security-domain>java:/jaas/HIM-client-login</security-domain>
4) I have declared a security constraint in the web.xml file:
<!-- security configuration --> <security-constraint> <display-name>Server Configuration Security Constraint</display-name> <!-- the collection of resources to which the sucurity constraint applies --> <web-resource-collection> <web-resource-name>Secure Resources</web-resource-name> <description>Security constraint for all resources</description> <!-- the pattern that this constraint applies to --> <url-pattern>/*</url-pattern> <!-- the HTTP methods that this constraint applies to --> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <!-- the user roles that should be permitted access to this resource collection --> <auth-constraint> <description>Only allow those users that are in the following role</description> <role-name>user</role-name> </auth-constraint> <!-- declare a transport guarantee, if any --> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
5) I have a simple login form (LoginForm.jsp) which encodes j_security_check:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>HIM Client Login</title> </head> <body> <form method="POST" action='<%= response.encodeURL( "j_security_check" ) %>'> Username: <input type="text" name="j_username"><br/> Password: <input type="password" name="j_password"><br/> <br/> <input type="submit" value="Login"> <input type="reset" value="Reset"> </form> </body> </html>
The trouble is when I enter a valid username and password in the login form I get redirected to the error page with no indication on the JBoss console as to what the problem is (such as SQLExceptions indicating a database problem such as failure connecting or invalid table name).
Can anyone see from the above that I have missed something, or that I have done something wrong ?
Can anyone recommend a way to get more information ? All I see in the log file are logs of the requests for the servlet, j_security_check, and the login and error pages, and it might be helpful to have a little more information as to what is going on.
Thanks in advance for any insight.