This week's book giveaway is in the Java 8 forum.
We're giving away four copies of Java 8 in Action and have Raoul-Gabriel Urma, Mario Fusco, and Alan Mycroft on-line!
See this thread for details.
The moose likes JBoss/WildFly and the fly likes JBoss and J2EE Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "JBoss and J2EE Security" Watch "JBoss and J2EE Security" New topic
Author

JBoss and J2EE Security

Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Hi,

I have a web application that runs on JBoss.

I need to implement form-based authentication and furthermore I have users with different roles (which are stored in a oracle database).

Now, according to the user-role, the user will only be allowed to access certain pages/sites. For example user with role "0" is allowed to access page1.jsp, page2.jsp and page3.jsp whereas the user with role "1" is only allowed to access page1.jsp and page2.jsp and the user with role "2" can only access page3.jsp.

I am not sure how I have to implement that in my deployment descriptor (web.xml).

At the moment I have the following:



Thanks for any help.
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

Before we go any further, I noticed this in the url-pattern: /portal/*

Are you working with JBoss Portal (or some other portal)? I ask because portals have their own security mechanism that are different from simple web app security.


JBoss In Action
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
No, I dont use any portal. I just called it like that for my own purpose.
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

Look at http://pdf.moreservlets.com/More-Servlets-and-JSP-Chapter-07.pdf, specifically the section titled Specifying URLs That Should Be
Password Protected
on page 362.

There is also source code for that chapter, see http://pdf.moreservlets.com/
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Thanks for the resources.

Now, I have encountered a bug/problem in my configuration.

I have a table in my oracle database that contains the username, role and role_group.

In my login-config.xml I have the following:



And I tried to test my web app with the following web.xml configuration:



The table in the db contains an entry with an username who has the role "0" assigned.
However, when I try to login through the form I get the following message:

HTTP Status 403 - Access to the requested resource has been denied

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


What am I doing wrong here?

Thanks in advance.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9340
    
110

Enable the security package TRACE logging to see what's going on. See Q4 here for enabling TRACE level logging.

[My Blog] [JavaRanch Journal]
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Thanks, I have enables the debug and trace and the log file shows me the following:


(just a few snippets from the log file, that i think illustrate the problem)


It mentions that username admin does NOT have role, although it does have that in the database. Could there be a problem with the datatype of the field in the table? I dont see the problem?
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9340
    
110

DEBUG [org.apache.catalina.realm.RealmBase] No role found: 0


What does the following query return when you fire it from a SQL client?



Replace the username appropriately. And what's the datatype of the "role" in the DB?
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
If I execute the following query:


I get the result:

ROLE 0
ROLE_GROUP 0

The datatype for role and role_group is:

ROLE VARCHAR2(40)
ROLE_GROUP VARCHAR2(40)

thanks
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9340
    
110

# 2009-01-19 18:30:08,088 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'admin' authenticated, loginOk=true
# 2009-01-19 18:30:08,088 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
# 2009-01-19 18:30:08,104 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role 0


This shows that the "admin" was assigned the correct roles. However, later on it fails with admin not having roles.

Your web.xml shows that you are including the portal/index.jsp too in the list of resources which are secured. Do you really want to do that?
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Well, at the moment I have the following structure:

If the user enters this:

http://localhost:81/stool

he/she is automaticall redirected to http://localhost:81/stool/portal/index.jsp which is secured.

the content of the index.jsp in /stool is:



Basically, I would like the index.jsp in stool/portal/ to be secured. Or is that wrong?
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9340
    
110

Can you post the entire web.xml? I am interested in seeing what the login-config element looks like.
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
web.xml



and i have the following in my login-config.xml in jboss:



thanks
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Are there any hints? I do not understand why it authenticates successfully first and fails ultimately.
Javid Jamae
Author
Ranch Hand

Joined: May 14, 2008
Posts: 198
I think the problem is your role query.

Instead of:

select role, role_group from s_users where username=?

Try:

select role, 'Roles' from s_users where username=?


Also, why are you defining the roles in the s_users table? You should have a roles table and a users table. Otherwise you'll end up having a denormalized table with a lot of duplicate data, which will probably cause you trouble in the future.


Author: JBoss in Action, javidjamae.com, @javidjamae on Twitter
Viv Singh
Ranch Hand

Joined: Nov 08, 2008
Posts: 73
Thanks alot. This solved the problem. thank you very much
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: JBoss and J2EE Security
 
Similar Threads
declarative authorization not working
related to auth constraint
security-constrain and security-role
Tips on form-based authetication
Authorization using JAAS with Struts2