• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Issue matching web app with desired security domain (JBoss 4.2.2)

 
Ranch Hand
Posts: 100
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We have an existing project with security domains for our EJB3s. We are trying to use a similar (or the same) security domain/policy for some of our web applications. I have it working, but it's sort of ugly and I'm trying to figure out what I'm missing.

The main issue is that the security domain will only match the 'other' domain that comes with the JBoss install. For whatever reason, after I decided to use a custom authenticator, the security domain I created will not 'match'.

The goal is to use the SSL_CLIENT_CERT that we receive via HTTP Header and to authenticate/authorize that with our existing policy. This works for EJBs, but not the web app I have tried.

Backstory:

I originally set up the web application (i.e. http://jboss/secure/index.jsp) to have a simple FORM based policy. This worked - when I would attempt to hit that URL I would get prompted for a username/password. Assuming I entered the username/password in my users.properties file, I was able to get to that url.

I then created my own authenticator, based on instructions I found on creating a GenericHeaderBasedAuthenticator.

This also seemed to work okay, provided my authenticator passed in the username/properties from the user.properties file.

I then created my own login module based on instructions I found here. My CustomWebAppLoginModule extends AbstractServerLoginModule.

When I tried to change the login-module.xml to use this login module instead of the generic one, I couldn't seem to 'match' the security domain I created. I toyed around with it and eventually realized it would match 'other', but not the one I created.

Any ideas on why this is so?


login-module.xml:

Note that I had to change the "other" application-policy to use my CustomWebAppLoginModule to get it to work...otherwise it would just skip this policy and never call CustomWebAppLoginModule.


jboss-service.xml in jboss-web.deploy/META-INF:



In my GenericWebAppHeaderAuthenticator.java, this call is made:



Pertinent parts of my web.xml:


Any thoughts?

 
andrew ennamorato
Ranch Hand
Posts: 100
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The easiest solution is often the most overlooked, at least with most of my mistakes. <sigh>

The problem was my jboss-web.xml. While I forgot to include it in the original post, it did have my desired security domain. However, it was not getting deployed in my .war file, hence why it would only hit the 'other' security domain.

The next problem I ran across was caching of the authentication credentials/roles. I found this page on credential caching which seems to have helped.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic