6 Replies Latest reply on Feb 13, 2004 1:04 PM by Luke Taylor

    Security information - totally confusing

    neptune5 Newbie

      Hi

      Tried to do some of the security to tighten up my app. tried the login-config .xml file from the examples in the book- totally confused . There is no explanation as too the link between this file and the security stuff needed in the ejb-jar files and the web.xml files . Are there any worked through examples around ?

      Adrian

        • 1. Re: Security information - totally confusing
          Jeff Furgal Newbie

          This is probably not exceptionally helpful, but I skipped the additions to the login-config.xml file (as they were listed as optional), and just made the suggested changes to the various ejb-jboss.xml files. This did tighten up the app so that it no longer threw an exception when you tried to login with an unknown ID.

          The login-config.xml is better explained in following sections of the guide.

          • 2. Re: Security information - totally confusing
            Luke Taylor Novice

             

            "neptune5" wrote:
            Hi

            Tried to do some of the security to tighten up my app. tried the login-config .xml file from the examples in the book- totally confused . There is no explanation as too the link between this file and the security stuff needed in the ejb-jar files and the web.xml files . Are there any worked through examples around ?

            Adrian


            I guess that's because there isn't really a direct connection between them, other than that the login configuration defines how a user is authenticated and which roles they are assigned by the server. The web.xml and ejb-jar.xml files are standard J2EE configuration files so we're not aiming to describe in detail how they are used.

            As it says in the guide

            "You should keep in mind that the authentication logic which decides whether a login succeeds or fails is outside the scope of the spec. The actual authentication mechanism is contained in the login modules that a security domain uses. So by adding the security-domain tag to your application,
            and thus linking it to an entry in login-config.xml, you are effectively specifying what authentication logic will be used, be it a database, LDAP or whatever."

            As lokki says, adding an entry to login-config.xml is optional in the example as the configuration named "other" will be used by default.

            Luke.

            • 3. Re: Security information - totally confusing
              neptune5 Newbie

              hi Thanks for the replies

              I tried to follow the examples of doing it in the login.config file but then nothing worked at all ! so obviously doing something wrong. I think what would be helpful is some work through examples . Somebody somewhere must understand this stuff !

              • 4. Re: Security information - totally confusing
                ahardy66 Novice

                Hi all, just working my way thro' the getting started, and I'm trying to configure the Bank app to take my user name and password. I added them as a key=value pair into users.properties and adam=BankCustomer into roles.properties, but it's not playing along.

                JBoss recognises 200=j2ee, and I get thro to the Bank menu page. But with my own user/pw, I get a NPE on the browser page and what looks like a JSP taglib exception stacktrace in the console.

                Although it seems my username & password were accepted, and the app also rejects unknown users back to the login page, something causes problems. Any help please!!

                • 5. Re: Security information - totally confusing
                  ahardy66 Novice

                  shame I can't edit the message - what I also meant to ask is whether this security domain config in JBoss sets or overrides the container-managed security in tomcat.

                  • 6. Re: Security information - totally confusing
                    Luke Taylor Novice

                    On the NPE bit:

                    I'd imagine the application will expect all valid users to also have an account so it's unlikely to work unless you also set up the appropriate data. Check the stacktrace and look at the tutorial code.

                    On the Tomcat/JBoss security:

                    All security handling is controlled by JBoss in the integrated container, so the login, roles etc. will be determined by the security domain information.

                    Luke.