Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Problem with jboss login

 
Tejas Gokhale
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have two roles for which i have two different security constraints configured. I am using jboss databaseserverloginmodule with form based authentication.
If i give completely wrong credentials then error page is shown properly.
But if i ask a page which role1 is authorised to see and if i give login credentials of role2 to it then instead of showing error page it shows me http:403 forbidden error though i have configured error.jsp in login-config.
Please help me why this is happening?
 
Wiley Snyder
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need a Welcome page in your descriptor that on authentication the user has access too ...

<welcome-file-list>
<welcome-file>members.jsp</welcome-file>
</welcome-file-list>
 
Tejas Gokhale
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have actually added the welcome page. But even then the error is coming. Please help?
Following is the discriptor.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
<!-- Its required that display name be as specified -->

<display-name>PartnerPortal</display-name>

<!-- Action Servlet Configuration -->
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>

<load-on-startup>1</load-on-startup>
</servlet>


<!-- Action Servlet Mapping -->
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>

<!-- Session time out set to 30 min. -->
<session-config>
<session-timeout>30</session-timeout>
</session-config>

<!-- Welcome file list -->
<welcome-file-list>
<welcome-file>/web/jsp/login/login.jsp</welcome-file>
</welcome-file-list>

<!-- ******************************************************************* -->
<!-- ***** taglibs ***************************************************** -->
<!-- ******************************************************************* -->
<taglib>
<taglib-uri>/WEB-INF/lib/struts-html.tld</taglib-uri>
<taglib-location>/WEB-INF/lib/struts-html.tld</taglib-location>
</taglib>

<taglib>
<taglib-uri>/WEB-INF/lib/struts-bean.tld</taglib-uri>
<taglib-location>/WEB-INF/lib/struts-bean.tld</taglib-location>
</taglib>

<taglib>
<taglib-uri>/WEB-INF/lib/struts-logic.tld</taglib-uri>
<taglib-location>/WEB-INF/lib/struts-logic.tld</taglib-location>
</taglib>



<!-- #################################################### -->
<!-- Added by sunil for jboss login module implementation -->
<security-constraint>
<web-resource-collection>
<web-resource-name>adminresource</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/adminmenu.do</url-pattern>
<url-pattern>/web/jsp/change_password.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>reselleruserresource</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/resellerSetup.do</url-pattern>
<url-pattern>/resellerProduct.do</url-pattern>
<url-pattern>/adsl.do</url-pattern>
<url-pattern>/pstn.do</url-pattern>
<url-pattern>/isdn.do</url-pattern>
<url-pattern>/llvpn.do</url-pattern>
<url-pattern>/llvpnpp.do</url-pattern>
<url-pattern>/lesvpn.do</url-pattern>
<url-pattern>/lespp.do</url-pattern>
<url-pattern>/sdsl.do</url-pattern>

<url-pattern>/web/jsp/reseller_user/JBossStartGuide.pdf</url-pattern>
<url-pattern>/web/jsp/change_password.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>reselleruser</role-name>
</auth-constraint>

</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/forgotpassword.*</url-pattern>
<url-pattern>/home.do</url-pattern>
<url-pattern>/disclaimer.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>

</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/web/jsp/login/login.jsp</form-login-page>
<form-error-page>/web/jsp/login/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>reselleruser</role-name>
</security-role>

<!-- End of Addion by sunil for jboss login module implementation -->
<!-- $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -->


</web-app>
 
Heonkoo Lee
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The welcome file list configuration has nothing to do with getting the status code 403 forbidden. Both users in role1 and role2 are authenticated to the web app if they login with correct username and password. The login error page is only displayed when a login fails.

The reason the user in role2 is getting 403 error (different than login error) is that only users in role1 is authorized to access that resource.

Hope this helps.

Regards,
 
Tejas Gokhale
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All that is absolutely correct. But my problem is why is it showing that ugly error on screen when i have configured loginerror.jsp in login-config tags.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic