I am trying to restrict web access on certain web pages. I checked the FAQ,
but I couldn't find any clue. I am hoping you can point me in the right
direction.
I am having difficulty to configure secured web pages which requires users to
login before they can view the content.
I am using the jbossweb-tomcat55.sar/ROOT.war of version JBoss-4.0.3SP1 to host
forum and some static web pages. Without the requirement of secured access, the
website runs fine. I was then asked to add a login prompt when the first time
any user wants to access anything on the application. The login prompt should
include user name and password.
I thought that requirement was a piece of cake. So I performed the following
steps:
A. I create a security domain, transportation-security, in login-config.xml as
follows:
<application-policy name = "transportation-security">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option
name="usersProperties">props/transportation-security-users.properties</module-option>
<module-option
name="rolesProperties">props/transportation-security-roles.properties</module-option>
</login-module>
</application-policy>
B. I then create a testing file, transportation-security-users.properties in
the conf/props as follows:
joe1=pass1
and a testing file transportation-security-roles.properties in the conf/props
as follows:
joe1=administrator
C. For the web.xml, in ROOT.war/WEB-INF, I added the following security related
page to web.xml:
<security-role>
<role-name>administrator</role-name>
</security-role>
<security-role>
<role-name>moderator</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Area</web-resource-name>
<url-pattern>/About_us/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
<role-name>moderator</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>transportation-security</realm-name>
</login-config>
D. I also created jboss-web.xml in the jbossweb-tomcat55.sar/ROOT.war/WEB-INF
as follows:
<jboss-web>
<security-domain>java:/jaas/transportation-security</security-domain>
</jboss-web>
I then re-started the JBoss, and use web browser to test the URL /ABout_us.
There was a window pop-up with title "transportation-security" with two entry
fields: user name; password. I entered joe1 and pass1 respectively. But the
same window was re-display with empty entry fields.
I shut down the JBoss, set the log4j to DEBUG level and re-tested. I noticed
that the error message in the log indicated that the authenticate() failed.
Does anyone know what went wrong? Why the files in props weren't used?
By the way, do you know how to customize the login prompt and error page if
login fails?
Thanks,
Bensen
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983065#3983065
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983065
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
