Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Form-based Security

 
Matthew Shalorne
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am using jboss-4.0.0RC2. I am trying to use form-based declarative security as described in Head First. My web.xml is:


My jboss-web.xml is:



I have added this to my login-config:


My user.properties has:


and my roles.properties has:


both files being in my classes dir in my war.
I am expecting the server to present me with my login form page when I try to access /sec/showlogs but instead it lets me access that servlet without any authentication. Does anyone know what I am doing wrong?

Thx,
 
Serghei Jelauc
Ranch Hand
Posts: 128
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not sure - never worked with JBoss, but try to check you html fom tag.
It must be like this:

The name of attributes action, name and other name MUST be "j_security_check", "j_username", "j_password" respectively.

Regards.
 
Matthew Shalorne
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thx Serghei - My form tags are right but it never gets to the form page - it doesn't try to. It just lets you go straight to the restricted servlet.
 
Matthew Shalorne
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Found a tag that I mis-spelt but I still have no joy because jboss doesn't seem to pick up my password file. The symptoms are that it now takes me to the login page (or login dialog when I use BASIC) but, although I have set up my users.properties etc as per the guide it always thinks my password is wrong! Two and a half days of zero productivity - grrrrr!
 
Matthew Shalorne
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Scott Stark, the Chief Technology Officer for JBoss, gave me a solution. If you use the default properties file names as demonstrated in the howto then you run the risk that someone else used the same names in their module to specify their users and they may be earlier in the path in which case the app will find that file and never read yours.
JBoss lets you specify and use a different users.properties file names in the login-config file. If you use unique names and put your properties files in the classes dir of your war it works fine.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic