[JBoss-user] [Security & JAAS/JBoss] - Re: how to test form-based security using jaas, mysql set up

[choikim]

I had login.html with







and my application deployed.

However, if I tried to login, it shows 
http://localhost:8080/projectname/j_security_check on the url and
doesn't do anything. 

What am I missing here ?

Also, I thought I configured JAAS using jboss documentation, but I'm not sure 
if I did it correctly. What do I have to do except modifying web.xml, 
ejb-jar.xml, jboss.xml, jboss-web.xml, login-config.xml ?

Another question. Does role-name has to be exactly the same as the result from 
rolesQuery in login-config.xml ?

I really appreciate the help.
Thank you 



My login-config.xml under jboss/server/default/conf looks like the following.

<application-policy name = "projectname">
         
        <login-module 
code="org.jboss.security.auth.spi.DatabaseServerLoginModule" 
                         flag="required"> 
            <module-option name="dsJndiName">java:/MySqlDS</module-option> 
            <module-option name="principalsQuery">   
                select password from employees where username=? 
            </module-option>
            <!-- second column of the following query has to be 'Roles' --> 
            <module-option name="rolesQuery"> 
                select management, 'Roles' from employees where username=? 
            </module-option>
 
            <module-option name="hashAlgorithm">MD5</module-option> 
            <module-option name="hashEncoding">base64</module-option>
            
        </login-module> 
         
    </application-policy>

And I have only one line

 <security-domain>java:/jaas/project</security-domain>  

in jboss.xml and jboss-web.xml.

Also, in my web.xml I have the following.

<security-constraint>
        <web-resource-collection>
                <web-resource-name>secure content</web-resource-name>
                Declarative security test 
                        <url-pattern>/*</url-pattern> 
                        <http-method>POST</http-method>
        </web-resource-collection>

        <auth-constraint>
                <role-name>supervisor</role-name>
        </auth-constraint>
        
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
</security-constraint>
 
<security-role>
        The role required to access restricted content
        <role-name>supervisor</role-name>
    </security-role>
    
        <!-- ... -->
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>The Restricted Zone</realm-name>
        <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>


Do I have to put <ejb-ref> here ? I didn't think so.

Also in my ejb-jar.xml, I have the following.


  <ejb-name>Supervisor</ejb-name>
  <local-home>ejb.session.SupervisorLocalHome</local-home>
  ejb.session.SupervisorLocal
  ejb.session.SupervisorRemoteHome
  ejb.session.SupervisorRemote
  <ejb-class>ejb.session.Supervisor</ejb-class>
  <session-type>Stateless</session-type>
  <transaction-type>Container</transaction-type>
            
   <ejb-local-ref>
        <ejb-ref-name>Employees</ejb-ref-name>
        <ejb-ref-type>Entity</ejb-ref-type>
        <local-home>ejb.employee.EmployeeLocalHome</local-home>
        ejb.employee.EmployeeLocal
        <ejb-link>Employees</ejb-link>
   </ejb-local-ref>
                        
   <security-identity>
        <run-as>
           <role-name>supervisor</role-name>
        </run-as>
   </security-identity>
                        
   <security-role-ref>
        <role-name>SupervisorRole</role-name>
        <role-link>supervisor</role-link>
   </security-role-ref>


<assembly-descriptor>
        
<!-- declare logical roles -->
        <security-role>
                
                        This role represents everyone who is allowed access
                                to the Employee EJB.
                
                <role-name>employee</role-name>
        </security-role>

        <security-role>
                
                                This role represents supervisor who is allowed 
full accessto all the EJBs.
                
                <role-name>supervisor</role-name>
        </security-role>
                
        <method-permission>
                <role-name>supervisor</role-name>
                
                        <ejb-name>Employees</ejb-name>
                        <method-name>*</method-name>
                
        </method-permission>

        <method-permission>
                <role-name>supervisor</role-name>
                
                        <ejb-name>Supervisor</ejb-name>
                        <method-name>*</method-name>
                
        </method-permission>
        
        <container-transaction>
                
                       <ejb-name>Employees</ejb-name>
                        <method-name>*</method-name>
                
                <trans-attribute>Required</trans-attribute>
        </container-transaction>
        
        </assembly-descriptor>
        

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3868010#3868010

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3868010


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user