Hi,
I'm developing an application with the following requirement:
All users have a database accounts and the application level authorization
should be used also with the database. So I need to pass through the current
user identity to the back-end database.
I'm using Jboss as 4.0.5 and Jboss Seam 1.2.1. The project I start with is
generated with seam-gen utility. I get some directions on the Seam forum that
this should be possible with proper configuration of the JCA datasource.
According to the informations I founded on wiki and docs I trying to use
CallerIdentityLoginModule in the following way:
I added policy to the login-config.xml file
| <application-policy name = "testdbRealm">
| <authentication>
| <login-module code =
"org.jboss.resource.security.CallerIdentityLoginModule" flag = "required">
| <module-option name = "userName">dumy</module-option>
| <module-option name = "password">dumy_pwd</module-option>
| <module-option name =
"managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
datasource config file dbtest-ds.xml:
| <datasources>
| <local-tx-datasource>
| <jndi-name>dbtestDatasource</jndi-name>
| <connection-url>jdbc:postgresql:dbtest</connection-url>
| <driver-class>org.postgresql.Driver</driver-class>
| <security-domain>testdbRealm</security-domain>
| </local-tx-datasource>
| </datasources>
|
web.xml file:
| <security-constraint>
| <display-name>Restrict raw XHTML Documents</display-name>
| <web-resource-collection>
| <web-resource-name>XHTML</web-resource-name>
| <url-pattern>*.xhtml</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| </web-resource-collection>
| <auth-constraint>
| <role-name>admin</role-name>
| </auth-constraint>
| </security-constraint>
| <login-config>
| <auth-method>BASIC</auth-method>
| <realm-name>testdbRealm</realm-name>
| </login-config>
| <security-role>
| <role-name>admin</role-name>
| </security-role>
|
And according to the Seam doc I set the jaas-config-name property in the
components.xml file:
| <security:identity authenticate-method="#{authenticator.authenticate}"
| jaas-config-name="testdbRealm"/>
|
Now I have the following behavior:
The application deploys and works, the *.xhtml pages are displayed but
application is not asking for authorization. The database connection is set
with the default user and pwd provided in the login-config.xml file (dumy,
dumy_pwd).
When I try to remove the default user and pwd from the login-config.xml file:
| <application-policy name = "testdbRealm">
| <authentication>
| <login-module code =
"org.jboss.resource.security.CallerIdentityLoginModule" flag = "required">
| <module-option name =
"managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=dbtestDatasource</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
then I have errors during deployment because the database connection can't be
created (I'm not sure why - think that hibernate try to open the database
during the deployment to do its mapping job). I see in server logs that
CallerIdentityLoginModule is used.
I stick on this problem and don't know how finish seting up things to enforce
the behavior I write about on the beginning. Do I have to call
CallerIdentityLoginModule directly from my application?
I'm trying to resolve this issue for quite a long time. I'm not the JBoss and
J2EE specialist (yet) (I'm the one who believed that building application's
with JBoss + Seam combo is simple and trying to follow) so I appreciate any
help and explanations how this mechanism works very much.
Best Regards
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4063654#4063654
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4063654
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
