Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Jaas authorization in JBoss 4.2.3

843811Jun 22 2009 — edited Jun 25 2009

Hi,
i need to use JAAS for authentication and authorization in JBoss. I've done the following.

conf/login-config.xml ==>
<application-policy name = "jaas3">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name="dsJndiName">java:jdbc/usm</module-option>
<module-option name="principalsQuery">SELECT password FROM principals WHERE principalid=?</module-option>
<module-option name="rolesQuery">SELECT principalid, 'Roles' FROM roles WHERE principalid=?</module-option>
</login-module>
</authentication>
</application-policy>

database tabes ==>
principals --> principalid, password
roles --> principalid, role, rolegroup

realm in server.xml ==>
<Realm className="org.apache.catalina.realm.JAASRealm" appName="jaas3"
userClassNames="com.ttt.auth.Jaas3Users" roleClassNames="com.ttt.auth.Jaas3Role" useContextClassLoader="true"/>

auth.conf ==>
jaas3{
com.ttt.auth.Jaas3LoginModule required;
};

jboss-web.xml ==>
<security-domain flushOnSessionInvalidation="true">java:/jaas/jaas3</security-domain>

web.xml ==>
<login-config>
<auth-method>FORM</auth-method>
<realm>jaas3</realm>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-failure.jsp</form-error-page>
</form-login-config>

<security-role>
<role-name>admin</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>Admin page</web-resource-name>
<url-pattern>/admin.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</login-config>

login.jsp ==>
<form action="j_security_check" method="post">
<p>Username:<input type="text" name="j_username"/></p>
<p>password:<input type="text" name="j_password"/></p>
<input type="submit" name="btnSubmit" value="LOGIN"/>
</form>

I access the admin.jsp which is protected. I'm directed to the login page.
The use is successfuly authenticated. but authorization fails always. I always get a 'Access denied' pge displayed, even for the admin user, who is grented access to the admin page.
There are no logs in the server too.

It's been a week since when i'm breaking my head over this issue. Please help me find what went wrong or what i've missed.

Thanks,

Locked Post

New comments cannot be posted to this locked post.

Locked on Jul 23 2009

Added on Jun 22 2009

#other-security-apis-tools-and-issues

1 comment

343 views