Any ideas? I've looked at other posts regarding this same issue and have not been
able to solve the problem that the subject and principals are not retained between
http requests. In JSP's (or other code - Struts application), a call to
request.getUserPrincipal() returns null after a successful login and subsequent
requests using the DatabaseServerLoginModule configuration. The login.jsp page is
always presented if a restricted page is accessed - even after authentication is
passed. If I change web.xml to use BASIC instead of FORM based for authentication,
the problem goes away - principals are retained between requests and the login.jsp
page is only presented once. In trying to narrow down the problem, it seems that when
using DatabaseServerLoginModule for authentication, the credentials are not
automatically propagated. I have set up my JBoss 3.2.6 environment like the post:
http://www.javaworld.com/javaforums/showflat.php?Cat=2&Board=JavaSecurity&Number=2500&page=0&view=collapsed&sb=5&o=&fpart=1
The environment consists of WinXP and MySQL:
login-config.xml:
...
| <application-policy name="mcApp">
| <authentication>
| <login-module code="org.jboss.security.ClientLoginModule"
flag="required"/>
| <login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
| <module-option name="dsJndiName">java:/MySqlDS</module-option>
| <module-option name="principalsQuery">select password from n_user
where user_id=?</module-option>
| <module-option name="rolesQuery">select role 'Roles', RoleGroup
'RoleGroup' from user_roles where user_id=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
| ...
|
jboss-web.xml:
<jboss-web>
| <security-domain>java:/jaas/mcApp</security-domain>
| </jboss-web>
|
web.xml:
...
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>admin</web-resource-name>
| <description>Administration Profile</description>
| <url-pattern>/restricted/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| </web-resource-collection>
| <auth-constraint>
| <description>Administration</description>
| <role-name>AdminRole</role-name>
| </auth-constraint>
| <user-data-constraint>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>mcApp</realm-name>
| <form-login-config>
| <form-login-page>/login.jsp</form-login-page>
| <form-error-page>/badlogin.jsp</form-error-page>
| </form-login-config>
| </login-config>
| <!--
| <login-config>
| <auth-method>BASIC</auth-method>
| <realm-name>mcApp</realm-name>
| </login-config>
| -->
| <security-role>
| <description>Administration</description>
| <role-name>AdminRole</role-name>
| </security-role>
| ...
|
LoginAction.java:
...
| try {
| SecurityAssociationHandler handler = new
SecurityAssociationHandler();
| SimplePrincipal user = new SimplePrincipal(j_username);
| handler.setSecurityInfo(user, new String(j_password));
| LoginContext loginContext = new LoginContext("mcApp",
(CallbackHandler)handler);
| loginContext.login();
| Subject subject = loginContext.getSubject();
| Set principals = subject.getPrincipals();
| System.out.println("-> LoginAction: Principals:" + principals.toString());
| }
| catch(LoginException e) {
| e.printStackTrace();
| errors.add(ActionErrors.GLOBAL_ERROR, new ActionError("Wrong
Username or Password"));
| saveErrors(request, errors);
| return (mapping.getInputForward());
| }
| ...
|
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3853402#3853402
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3853402
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
