• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JBoss and J2EE Security

 
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have a web application that runs on JBoss.

I need to implement form-based authentication and furthermore I have users with different roles (which are stored in a oracle database).

Now, according to the user-role, the user will only be allowed to access certain pages/sites. For example user with role "0" is allowed to access page1.jsp, page2.jsp and page3.jsp whereas the user with role "1" is only allowed to access page1.jsp and page2.jsp and the user with role "2" can only access page3.jsp.

I am not sure how I have to implement that in my deployment descriptor (web.xml).

At the moment I have the following:



Thanks for any help.
 
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Before we go any further, I noticed this in the url-pattern: /portal/*

Are you working with JBoss Portal (or some other portal)? I ask because portals have their own security mechanism that are different from simple web app security.
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, I dont use any portal. I just called it like that for my own purpose.
 
Peter Johnson
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Look at http://pdf.moreservlets.com/More-Servlets-and-JSP-Chapter-07.pdf, specifically the section titled Specifying URLs That Should Be
Password Protected
on page 362.

There is also source code for that chapter, see http://pdf.moreservlets.com/
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the resources.

Now, I have encountered a bug/problem in my configuration.

I have a table in my oracle database that contains the username, role and role_group.

In my login-config.xml I have the following:



And I tried to test my web app with the following web.xml configuration:



The table in the db contains an entry with an username who has the role "0" assigned.
However, when I try to login through the form I get the following message:

HTTP Status 403 - Access to the requested resource has been denied

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


What am I doing wrong here?

Thanks in advance.
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Enable the security package TRACE logging to see what's going on. See Q4 here for enabling TRACE level logging.
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, I have enables the debug and trace and the log file shows me the following:


(just a few snippets from the log file, that i think illustrate the problem)


It mentions that username admin does NOT have role, although it does have that in the database. Could there be a problem with the datatype of the field in the table? I dont see the problem?
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

DEBUG [org.apache.catalina.realm.RealmBase] No role found: 0



What does the following query return when you fire it from a SQL client?



Replace the username appropriately. And what's the datatype of the "role" in the DB?
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I execute the following query:


I get the result:

ROLE 0
ROLE_GROUP 0

The datatype for role and role_group is:

ROLE VARCHAR2(40)
ROLE_GROUP VARCHAR2(40)

thanks
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

# 2009-01-19 18:30:08,088 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'admin' authenticated, loginOk=true
# 2009-01-19 18:30:08,088 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
# 2009-01-19 18:30:08,104 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role 0



This shows that the "admin" was assigned the correct roles. However, later on it fails with admin not having roles.

Your web.xml shows that you are including the portal/index.jsp too in the list of resources which are secured. Do you really want to do that?
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, at the moment I have the following structure:

If the user enters this:

http://localhost:81/stool

he/she is automaticall redirected to http://localhost:81/stool/portal/index.jsp which is secured.

the content of the index.jsp in /stool is:



Basically, I would like the index.jsp in stool/portal/ to be secured. Or is that wrong?
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you post the entire web.xml? I am interested in seeing what the login-config element looks like.
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
web.xml



and i have the following in my login-config.xml in jboss:



thanks
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are there any hints? I do not understand why it authenticates successfully first and fails ultimately.
 
Author
Posts: 198
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think the problem is your role query.

Instead of:

select role, role_group from s_users where username=?

Try:

select role, 'Roles' from s_users where username=?


Also, why are you defining the roles in the s_users table? You should have a roles table and a users table. Otherwise you'll end up having a denormalized table with a lot of duplicate data, which will probably cause you trouble in the future.
 
Viv Singh
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks alot. This solved the problem. thank you very much
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic