Secure A Portlet Via Username/Password Authentication

Experts,
  I have a portlet that I successfully got it to deploy and run in JBOSS.  Now I would like to add a simple security measure to require the users to provide a valid username/password before they can use the portlet.  I read and followed the instructions provided at here:
http://www.jboss.org/community/docs/DOC-12185 and here
http://www.jboss.org/community/docs/DOC-10760 and yet whenever I deploy and access my portlet it came right up - there were no login dialog box that came up.

Is  this the best way to handle user authentication?  Do you have another recommendation on how I can achieve this?

Thanks,
jc
LVL 1
johnchan2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ramazanyichCommented:
could you provide your web.xml and jboss-web.xml  from you WAR file and $JBOSS_HOME/server/<your-node>/conf/login-config.xml files ?

Probably some naming errors inside those files.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnchan2000Author Commented:
Thanks for the response.  Below are the contents for those files

web.xml
---
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
   "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
   "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All resources</web-resource-name>
            <description>Protects all resources</description>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WebAppUser</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>WebAppUser</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
    </login-config>
</web-app>
-------



jboss-web.xml (SEE LAST ENTRY OF THIS FILE)
----
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
<security-domain>java:/jaas/my-web</security-domain>
</jboss-web>
------

login-config.xml
---------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
        <authentication>
            <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             <!-- Any existing security context will be restored on logout -->
                <module-option name="restore-login-identity">true
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
                <module-option name = "unauthenticatedIdentity">guest
                </module-option>
                <module-option name = "dsJndiName">java:/DefaultDS
                </module-option>
                <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?
                </module-option>
                <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domains for testing new jca framework -->
    <application-policy name = "HsqlDbRealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">sa
                </module-option>
                <module-option name = "userName">sa
                </module-option>
                <module-option name = "password">
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
    <application-policy name = "JmsXARealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">guest
                </module-option>
                <module-option name = "userName">guest
                </module-option>
                <module-option name = "password">guest
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "jmx-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">props/jmx-console-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jmx-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "web-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">web-console-users.properties
                </module-option>
                <module-option name="rolesProperties">web-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!--
      A template configuration for the JBossWS security domain.
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name="JBossWS">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
                <module-option name="usersProperties">props/jbossws-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jbossws-roles.properties
                </module-option>
                <module-option name="unauthenticatedIdentity">anonymous
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- The default login configuration used by any security domain that
    does not have a application-policy entry with a matching name
    -->
    <application-policy name = "other">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
        </authentication>
    </application-policy>


    <application-policy name = "my-web">
        <authentication>
            <login-module
                    code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                    flag = "required">
                <module-option
                         name="usersProperties">
                         props/my-web-users.properties
                </module-option>
                <module-option
                         name="rolesProperties">
                         props/my-web-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>
--------------------

my-web-users.properties
---------
# A sample users.properties file for use with the UsersRolesLoginModule
admin=admin
tester=tester
--------------

my-web-roles.properties
--------------
# A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker
tester=WebAppUser
-------------------
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.