Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Problems with FORM Authentication

 
Don Griffing
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using JBoss 3.2.3 and having problems with FORM authentication. I am using a custom login module that extends UsernamePasswordLoginModule. When I use BASIC authentication, everything behaves as expected. When I change to FORM authentication, none of the methods in my custom module are invoked so the user does not get authenticated. Below are snippets of the configuration files. What do I need to do to get FORM authentication working?
login-config.xml

jboss-web.xml

web.xml
 
Don Griffing
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am still fighting this issue. Any ideas?
 
Gregor Slokan
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!
I'm using this configration (and it works for me):
*jboss-web.xml code:
<jboss-web>
<security-domain>java:/jaas/mySecurityDomain</security-domain>
</jboss-web>
*web.xml code:
<security-constraint>
<web-resource-collection>
<web-resource-name>authenticated-user-pages</web-resource-name>
<url-pattern>/auth/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>b2bCustomer</role-name>
<role-name>b2cCustomer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/guest/login.do</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>j_security_ceck</web-resource-name>
<url-pattern>/j_security_check</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>eShop kupci</realm-name>
<form-login-config>
<form-login-page>/guest/login.do</form-login-page>
<form-error-page>/guest/loginError.do</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>b2bCustomer</role-name>
</security-role>
<security-role>
<role-name>b2cCustomer</role-name>
</security-role>
Hope this will help you!
 
Don Griffing
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for sharing your working configuration. I noticed three differences, which are:
  • Your authenticated pages are in a separate directory.
  • You have a second <security-constraint> for /j_security_check.
  • You use <transport-guarantee>CONFIDENTIAL</transport-guarantee>

  • Since it works correctly with BASIC authentication, I do not think that the separate directory is a factor in problem.
    I tried adding the second <security-constraint> with no success.
    Since my application will be deployed behind the firewall, with Apache in the DMZ handling the SSL connection to the client, I did not change <transport-guarantee> from NONE to CONFIDENTIAL. Additionally, I am trying to keep the number of "moving parts" in the development environment to a minimum.
    Thanks again for your reply. Still looking for a solution.
     
    Don Griffing
    Ranch Hand
    Posts: 33
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Great news, I've finally got this solved, but I do not understand why. I had posted this same issue on JBoss' Forum. After much persistence, I received the recommendation to add to my log4j.xml. After I made the addition, he FORM authentication began working as expected. Below are snippets from the configuration file and login.jsp from the working FORM authentication.
    login-config.xml
    jboss-web.xml
    web.xml
    login.jsp
     
    John Smith
    Greenhorn
    Posts: 11
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Thanks for that topic. The magic incantation seemed to be



    in jboss-web.xml which actually made it use



    in login-config.xml. This is not explained anywhere. Did this technique evolve? Did someone randomly hit on this?

    Anyway. OK so far, but my login module needs more information from the login form than just the j_username and j_password which are available from JBoss's CallbackHandler.

    I need JBoss to use my custom CallbackHandler to get info out of the HTTP request. This accepts another Callback subclass, a CompanyNameCallback. This is needed to perform our login method.

    Anyone know, how I can obtain more information from the login form?

    [ December 12, 2005: Message edited by: John Smith ]
    [ December 12, 2005: Message edited by: John Smith ]
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic