AFIK the role name and the group name have to be the same. You use r_users
and g_users. This could be the problem. ATM app uses role=users and
group=users.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Humphrey Sheil
Sent: Monday, May 14, 2001 10:20 AM
To: Orion-Interest
Subject: unable to configure form-based authentication correctly
Hi
I am unable to achieve a basic goal with orion: to force form-based
authentication using the simplest form of authentication (userids and
passwords stored in principals.xml).
I have read all the posts on this subject on the mailing list, but to no
avail. I also tried the security primer on jollem.com, but the author of
this primer told me that this tutorial is not yet working. I also saw the
posts by Bill Winspure on Fri, 11 May 2001, but the mail archive hasn't got
the zip file attached to the mail.
My application works fine without authentication, so there are no other
non-security related things affecting this.
My procedure to add form-based auth.
====================================
1. I add three new attributes to my web.xml:
<!-- attribute 1. declare the role I want to access my pages -->
<security-role>
<role-name>r_user</role-name>
</security-role>
<!-- attribute 2. now tell the container what and how I want protected -->
<!-- note that the role-name attribute matches my security-role attribute
above -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>r_user</role-name>
</auth-constraint>
</security-constraint>
<!-- attribute 3. let the container know that I want to use form-based
auth., and redirect to login.jsp -->
<!-- the form in login.jsp conforms to the servlet 2.2 spec. naming
conventions -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>error.jsp</form-error-page>
</form-login-config>
</login-config>
2. I edited the principals.xml contained in $ORION_HOME/config to contain
my user and group:
<group name="g_user"/>
<user username="testuser" password="xxx">
<group-membership group="g_user" />
</user>
3. I built and deployed the application at this point, and started orion
server (with a fresh application-deployment directory).
Next, I went to my application sub-directory under
$ORION_HOME/application-deployments.
Here I edited orion-application.xml and added two security-role-mapping
attributes, one each in the read-access and write-access sections as
follows:
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping
name="<jndi-user-role>">
<group name="administrators" />
</security-role-mapping>
<security-role-mapping name="<r_user>">
<group name="g_user" />
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping
name="<jndi-user-role>">
<group name="administrators" />
</security-role-mapping>
<security-role-mapping name="<r_user>">
<group name="g_user" />
</security-role-mapping>
</namespace-resource>
</write-access>
(notes: I tried this with and without the < >. I also tried adding
just one security-role-mapping).
The form-based auth. still does not work. I am presented with the login
form correctly when I try to access a protected resource, but my username
and password is always rejected.
Is this functionality working in orion server 1.4.5?
What have I missed in my steps above?
Has anybody gotten this to work?
Thanks in advance
Humphrey
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
