wood burning stoves 2.0*
The moose likes JBoss/WildFly and the fly likes JBoss Security Roles Problem.... everyone is admin! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "JBoss Security Roles Problem.... everyone is admin!" Watch "JBoss Security Roles Problem.... everyone is admin!" New topic
Author

JBoss Security Roles Problem.... everyone is admin!

Rick Hightower
Author
Ranch Hand

Joined: Feb 20, 2002
Posts: 350
I am having a problem with roles. A user called tomcat is in a role called admin, but should not be. I can login okay with the tomcat user but, the tomcat user can do everything an admin can do, which is not what I want. I then tried to programmatically see if tomcat user is an admin and he was.
JBoss security is setup as follows:
<application-policy name = "express">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">jdbc/mysql</module-option>
<module-option name = "principalsQuery">
select passwrd from app_user where username=?
</module-option>
<module-option name = "rolesQuery">
select role_name, 'Roles' from user_role where username=?
</module-option>
<module-option name="hashAlgorithm">SHA</module-option>
<module-option name="hashEncoding">base64</module-option>
</login-module>
</application-policy>
When I run the querries in the database workbench they seem to work as they should.
(I tried several combinations of encoding and hash to no avail).
It should be like this:
user tomcat is in the role "user"
user mraible is in the role "admin"
Here is the role table:
CREATE TABLE USER_ROLE
(
ID NUMERIC( 18, 0) NOT NULL,
USER_ID NUMERIC( 18, 0) NOT NULL,
USERNAME VARCHAR( 255) NOT NULL COLLATE NONE,
ROLE_NAME VARCHAR( 255) NOT NULL COLLATE NONE,
PRIMARY KEY (ID)
);
This query
select USER_NAME ROLENAME from USER_ROLE;
outputs this:
USER_NAME ROLENAME
tomcat user
mraible admin
Here is the DDL for the user table:
RECREATE TABLE APP_USER
(
ID NUMERIC( 18, 0) NOT NULL,
USERNAME VARCHAR( 40) NOT NULL COLLATE NONE,
PASSWRD VARCHAR( 150) NOT NULL COLLATE NONE,
FIRSTNAME VARCHAR( 40) NOT NULL COLLATE NONE,
LASTNAME VARCHAR( 40) NOT NULL COLLATE NONE,
EMAIL VARCHAR( 100) COLLATE NONE,
PHONENUMBER VARCHAR( 15) COLLATE NONE,
PASSWORDHINT VARCHAR( 40) COLLATE NONE,
INCREMENTBY FLOAT,
VER INTEGER,
PRIMARY KEY (ID)
);
The above has the following data:
ID,USERNAME,FIRSTNAME,EMAIL
1,"tomcat","Tomcat","matt_raible@yah.com"
2,"mraible","Matt","matt@raible.com"
3,"rick","Rick","rick@arc-mind.com"


Rick Hightower is CTO of Mammatus which focuses on Cloud Computing, EC2, etc. Rick is invovled in Java CDI and Java EE as well. linkedin,twitter,blog
Rick Hightower
Author
Ranch Hand

Joined: Feb 20, 2002
Posts: 350
Let me answer my own question (with Adrian's help of course)
Thanks Adrian!
(I am starting to become a JBoss fan! Don't tell anyone.)
[ February 24, 2004: Message edited by: Rick Hightower ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JBoss Security Roles Problem.... everyone is admin!
 
Similar Threads
forget the tomcat credentials
HTTP Status 403
how to add username , role , password to jboss the way we do in tomcat
Is it Tomcat's Bug or My Mistake
Need help for Many to Many association