This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes JBoss/WildFly and the fly likes Problems with FORM Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Problems with FORM Authentication" Watch "Problems with FORM Authentication" New topic
Author

Problems with FORM Authentication

Don Griffing
Ranch Hand

Joined: Nov 21, 2003
Posts: 33
I am using JBoss 3.2.3 and having problems with FORM authentication. I am using a custom login module that extends UsernamePasswordLoginModule. When I use BASIC authentication, everything behaves as expected. When I change to FORM authentication, none of the methods in my custom module are invoked so the user does not get authenticated. Below are snippets of the configuration files. What do I need to do to get FORM authentication working?
login-config.xml

jboss-web.xml

web.xml
Don Griffing
Ranch Hand

Joined: Nov 21, 2003
Posts: 33
I am still fighting this issue. Any ideas?
Gregor Slokan
Greenhorn

Joined: May 31, 2002
Posts: 5
Hi!
I'm using this configration (and it works for me):
*jboss-web.xml code:
<jboss-web>
<security-domain>java:/jaas/mySecurityDomain</security-domain>
</jboss-web>
*web.xml code:
<security-constraint>
<web-resource-collection>
<web-resource-name>authenticated-user-pages</web-resource-name>
<url-pattern>/auth/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>b2bCustomer</role-name>
<role-name>b2cCustomer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/guest/login.do</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>j_security_ceck</web-resource-name>
<url-pattern>/j_security_check</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>eShop kupci</realm-name>
<form-login-config>
<form-login-page>/guest/login.do</form-login-page>
<form-error-page>/guest/loginError.do</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>b2bCustomer</role-name>
</security-role>
<security-role>
<role-name>b2cCustomer</role-name>
</security-role>
Hope this will help you!
Don Griffing
Ranch Hand

Joined: Nov 21, 2003
Posts: 33
Thanks for sharing your working configuration. I noticed three differences, which are:
  • Your authenticated pages are in a separate directory.
  • You have a second <security-constraint> for /j_security_check.
  • You use <transport-guarantee>CONFIDENTIAL</transport-guarantee>

  • Since it works correctly with BASIC authentication, I do not think that the separate directory is a factor in problem.
    I tried adding the second <security-constraint> with no success.
    Since my application will be deployed behind the firewall, with Apache in the DMZ handling the SSL connection to the client, I did not change <transport-guarantee> from NONE to CONFIDENTIAL. Additionally, I am trying to keep the number of "moving parts" in the development environment to a minimum.
    Thanks again for your reply. Still looking for a solution.
    Don Griffing
    Ranch Hand

    Joined: Nov 21, 2003
    Posts: 33
    Great news, I've finally got this solved, but I do not understand why. I had posted this same issue on JBoss' Forum. After much persistence, I received the recommendation to add to my log4j.xml. After I made the addition, he FORM authentication began working as expected. Below are snippets from the configuration file and login.jsp from the working FORM authentication.
    login-config.xml
    jboss-web.xml
    web.xml
    login.jsp
    John Smith
    Greenhorn

    Joined: Dec 12, 2005
    Posts: 11
    Thanks for that topic. The magic incantation seemed to be



    in jboss-web.xml which actually made it use



    in login-config.xml. This is not explained anywhere. Did this technique evolve? Did someone randomly hit on this?

    Anyway. OK so far, but my login module needs more information from the login form than just the j_username and j_password which are available from JBoss's CallbackHandler.

    I need JBoss to use my custom CallbackHandler to get info out of the HTTP request. This accepts another Callback subclass, a CompanyNameCallback. This is needed to perform our login method.

    Anyone know, how I can obtain more information from the login form?

    [ December 12, 2005: Message edited by: John Smith ]
    [ December 12, 2005: Message edited by: John Smith ]
     
    GeeCON Prague 2014
     
    subject: Problems with FORM Authentication