You need to use the Servlet/JSP Spec for your login screen using BASIC, FORM, DIGEST, or CERT.
In JBoss you need to create a Security Domain in the login-config.xml, then in a jboss-web.xml file you add a <security-domain> tag with the name you gave your security domain, now create security refs in your web.xml to use the roles.
For a security domain to a database you use the DatabaseServerLoginModule class and provide how to connect to the database and a query to get the password based on username and then another query to get the roles that that user is assigned to
Read the parameters submitted from the user in an servlet and fetch the password value from the database.Match the password sent by the user and database.
Apart from this , you can use containers authentication facility , or incase you think that the authentication mechanism will change frequently then can go for JAAS.Look for Jboss's documentation to use JAAS. An article on JAAS. [ January 22, 2007: Message edited by: Rahul Bhattacharjee ]
You are still not following the JavaRanch Naming Policy.
The policy requires using your real first and real last names. Not just a single, first name.
Show us your login-config.xml security domain that you are using, Also post your jboss-web.xml and the portion of your web.xml that creates the security roles and constraint mappings, and the web.xml that shows the login form mapping. Thanks.
Joined: Nov 29, 2005
Originally posted by saeedeh: but i want to use jboss xml files to authenticate an do all the setting but it cant lookup my ds !!
I do not know what is jboss authentication files.Check documentation.Might be it is like tomcat-user.xml file which is used when authentication releam is set to memory.
Joined: Jan 16, 2007
this is my policy in login-config.xml : <application-policy name="test-policy"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/testDS</module-option> <module-option name="principalsQuery">select pass from Users where userName=?</module-option> <module-option name = "rolesQuery">select roleId from Users where user_id=?</module-option> </login-module> </authentication> </application-policy>
and this is my jbodd-web.xml : <jboss-web> <!-- Uncomment the security-domain to enable security. You will need to edit the htmladaptor login configuration to setup the login modules used to authentication users. <security-domain>java:/jaas/test-policy</security-domain> --> </jboss-web> and my web.xml is : <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<!-- ===================================================================== --> <!-- --> <!-- JBoss Server Configuration --> <!-- This file is generated by Streamlet. --> <!-- Don't change it. It will be overwritten --> <!-- ===================================================================== -->
Here is a brief explanation of authentication in JBoss.
1. Create Security Domain in login-config.xml if it points to a database it must be able to connect to the database and have those two queries to get back the password from the user table to compare the password entered. And to get the users roles. If there is no data in the database you get no results and no one can login.
2. Use jboss-web.xml and point to the security domain name.
3. use the roles in your Web.xml
if you use wrong role names or the user doesn't have that role, you get the error page.
You error could be that you don't get the database or something else.
Joined: Jan 16, 2007
thank you very much i do that and i think that is ok but now when i run my programm i get this error :
HTTP Status 403 - Access to the requested resource has been denied
Which explains securing a web application. At this point, because we will not be able to see exactly what you have setup in everything, and what your data in your database looks like, that is the best I can do from this point forward.