Single Sign-on across web-apps

Hello everyone,

I am using JBoss 4.0.2 w/Tomcat 5.5.9 (integrated) along with jTDS and SQLServer for a project.

I would like to use DatabaseServerLoginModule and single sign-on. I've created the approprite tables in my database for users and roles. I've created simple jsp pages for login and login error. I've also modified my login-config.xml, jboss-web.xml and web.xml to handle the security. I am using the Tomcat valve for singlesignon.

However, when I test the protected resource with a valid userid and password, I get a 403 error message. If I try to login with an invalid userid and password, I get the error jsp that I created.

This tells me that I am authenticating the user, but I am probably screwing something up with the roles as I cannot get access to the restricted resource even with the correct userid and password.

What I am trying to accomplish is

1. Authenticate a user against the database tables for userid and appropriate roles.

2. Use a custom error page when the user does not have access to the resource. Uid/pw combo AND role

3. Use SSO across the various web-apps that will comprise this project. Is it possible or correct for one web-app to handle all of the login/logout processing? If a user tries to access a web-app can that web-app redirect the user to a login page in another web-app? All of these web-apps will be in the same container.

Any help that could be provided, would be most appreciated.

Thanks,
Howler

Here is my stuff

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" 
xmlns="http://java.sun.com/xml/ns/j2ee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
<a href="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">" target="_blank" rel="nofollow">http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"></a>

<resource-ref>
<res-ref-name>jdbc/DefaultDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
 </resource-ref>  
 
<security-constraint>
<web-resource-collection>
<web-resource-name>A Protected Page</web-resource-name>
<url-pattern>/greeting.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>    
</web-resource-collection>
 
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>

</security-constraint>
 
<security-role>
<role-name>admin</role-name>
</security-role> 
 
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>

login-config.xml

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">
 

 
<policy>
    
    <application-policy name = "client-login">
       <authentication>
          <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
          </login-module>
       </authentication>
    </application-policy>
 
    
    <application-policy name = "jbossmq">
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
             <module-option name = "dsJndiName">java:/DefaultDS</module-option>
             <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
             <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
          </login-module>
       </authentication>
    </application-policy>
 
    
 
    
    <application-policy name = "HsqlDbRealm">
       <authentication>
          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">sa</module-option>
             <module-option name = "userName">sa</module-option>
             <module-option name = "password"></module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
          </login-module>
       </authentication>
    </application-policy>
 
    <application-policy name = "JmsXARealm">
       <authentication>
          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">guest</module-option>
             <module-option name = "userName">guest</module-option>
             <module-option name = "password">guest</module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
          </login-module>
       </authentication>
    </application-policy>
 
    
    <application-policy name = "jmx-console">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
           <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
           <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
          </login-module>
       </authentication>
    </application-policy>
 
    
    <application-policy name = "web-console">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
             <module-option name="usersProperties">web-console-users.properties</module-option>
             <module-option name="rolesProperties">web-console-roles.properties</module-option>
          </login-module>
       </authentication>
    </application-policy>
 
    
    <application-policy name="JBossWS">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
          <module-option name="unauthenticatedIdentity">anonymous</module-option>
        </login-module>
      </authentication>
    </application-policy>
 
    
    <application-policy name = "other">
       
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
       </authentication>
    </application-policy>
    
<application-policy name = "mysecurity">
  <authentication>
    <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/DefaultDS</module-option>
       <module-option name = "principalsQuery">SELECT sec_user_password FROM SEC_USERS WHERE sec_user_id=?</module-option>
       <module-option name = "rolesQuery">SELECT Role 'Roles', RoleGroup 'RoleGroups' FROM SEC_USER_ROLES WHERE sec_user_id=?</module-option>
    </login-module>
  </authentication>
</application-policy>    
 
</policy>

jboss-web.xml

[ July 07, 2005: Message edited by: Howler ]

"Howler"-
Welcome to the JavaRanch! Please adjust your displayed name to meet the

JavaRanch Naming Policy.

You can change it

here.

Thanks! and welcome to the JavaRanch!

Mark

Sorry about that Mark.

All set now. :-)

Well,

I added the following to my log4j.xml file to get logging information.

After checking server.log I see that it looks like I'm getting authenticated and the correct role is being picked up. I'm still not sure why I am getting 403'd on my resource if I've got all of the information and assigned the correct role to the resource.

...
 
2005-07-07 12:59:10,421 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'jbrosan' authenticated, loginOk=true
2005-07-07 12:59:10,421 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
2005-07-07 12:59:10,499 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role admin
2005-07-07 12:59:10,499 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] updateCache, subject=Subject:
Principal: jbrosan
Principal: admin(members:admin)
 
2005-07-07 12:59:10,499 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1f23ca4[Subject(7037214).principals=[jbrosan, admin(members:admin)],credential.class=java.lang.String@18019860,expirationTime=1120760944684]
2005-07-07 12:59:10,499 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] End isValid, true
2005-07-07 12:59:10,514 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: jbrosan
Principal: admin(members:admin)
, principal=jbrosan
2005-07-07 12:59:10,514 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1f23ca4[Subject(7037214).principals=[jbrosan, admin(members:admin)],credential.class=java.lang.String@18019860,expirationTime=1120760944684]
2005-07-07 12:59:10,514 TRACE [org.jboss.security.plugins.JaasSecurityManager.myportal] getUserRoles, subject: Subject:
Principal: jbrosan
Principal: admin(members:admin)
 
2005-07-07 12:59:10,624 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2005-07-07 12:59:10,624 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: jbrosan
Principal: admin(members:admin)
, principal=jbrosan
2005-07-07 12:59:10,639 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2005-07-07 12:59:10,639 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: jbrosan
Principal: admin(members:admin)
, principal=jbrosan
2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2005-07-07 12:59:10,655 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
...

[ July 07, 2005: Message edited by: John Brosan ]

[ July 07, 2005: Message edited by: John Brosan ]

[ July 07, 2005: Message edited by: John Brosan ]
[ July 07, 2005: Message edited by: John Brosan ]

Well, after much pounding of my head during the last few days, I actually found a solution.

As it turns out, I needed to remove the security role tag from the web.xml file and place an '*' into the role-name tag.

It's currently my assumption, that once the user is authenticated, the code would check the user's roles to make sure they could have access to the application.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" 
xmlns="http://java.sun.com/xml/ns/j2ee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
<a href="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">" target="_blank" rel="nofollow">http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"></a>

<resource-ref>
<description>MyApp Datasource</description>
<res-ref-name>jdbc/DefaultDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
 </resource-ref>  
<security-constraint>
<web-resource-collection>
<web-resource-name>MyApplication</web-resource-name>
<url-pattern>/greeting.jsp</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
 <auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
 
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>