Jaas authorization in JBoss 4.2.3
843811Jun 22 2009 — edited Jun 25 2009Hi,
i need to use JAAS for authentication and authorization in JBoss. I've done the following.
conf/login-config.xml ==>
<application-policy name = "jaas3">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name="dsJndiName">java:jdbc/usm</module-option>
<module-option name="principalsQuery">SELECT password FROM principals WHERE principalid=?</module-option>
<module-option name="rolesQuery">SELECT principalid, 'Roles' FROM roles WHERE principalid=?</module-option>
</login-module>
</authentication>
</application-policy>
database tabes ==>
principals --> principalid, password
roles --> principalid, role, rolegroup
realm in server.xml ==>
<Realm className="org.apache.catalina.realm.JAASRealm" appName="jaas3"
userClassNames="com.ttt.auth.Jaas3Users" roleClassNames="com.ttt.auth.Jaas3Role" useContextClassLoader="true"/>
auth.conf ==>
jaas3{
com.ttt.auth.Jaas3LoginModule required;
};
jboss-web.xml ==>
<security-domain flushOnSessionInvalidation="true">java:/jaas/jaas3</security-domain>
web.xml ==>
<login-config>
<auth-method>FORM</auth-method>
<realm>jaas3</realm>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-failure.jsp</form-error-page>
</form-login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin page</web-resource-name>
<url-pattern>/admin.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</login-config>
login.jsp ==>
<form action="j_security_check" method="post">
<p>Username:<input type="text" name="j_username"/></p>
<p>password:<input type="text" name="j_password"/></p>
<input type="submit" name="btnSubmit" value="LOGIN"/>
</form>
I access the admin.jsp which is protected. I'm directed to the login page.
The use is successfuly authenticated. but authorization fails always. I always get a 'Access denied' pge displayed, even for the admin user, who is grented access to the admin page.
There are no logs in the server too.
It's been a week since when i'm breaking my head over this issue. Please help me find what went wrong or what i've missed.
Thanks,