Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 649
  • Last Modified:

Secure A Portlet Via Username/Password Authentication

Experts,
  I have a portlet that I successfully got it to deploy and run in JBOSS.  Now I would like to add a simple security measure to require the users to provide a valid username/password before they can use the portlet.  I read and followed the instructions provided at here:
http://www.jboss.org/community/docs/DOC-12185 and here
http://www.jboss.org/community/docs/DOC-10760 and yet whenever I deploy and access my portlet it came right up - there were no login dialog box that came up.

Is  this the best way to handle user authentication?  Do you have another recommendation on how I can achieve this?

Thanks,
jc
0
johnchan2000
Asked:
johnchan2000
1 Solution
 
ramazanyichCommented:
could you provide your web.xml and jboss-web.xml  from you WAR file and $JBOSS_HOME/server/<your-node>/conf/login-config.xml files ?

Probably some naming errors inside those files.

0
 
johnchan2000Author Commented:
Thanks for the response.  Below are the contents for those files

web.xml
---
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
   "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
   "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All resources</web-resource-name>
            <description>Protects all resources</description>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WebAppUser</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>WebAppUser</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
    </login-config>
</web-app>
-------



jboss-web.xml (SEE LAST ENTRY OF THIS FILE)
----
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
<security-domain>java:/jaas/my-web</security-domain>
</jboss-web>
------

login-config.xml
---------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
        <authentication>
            <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             <!-- Any existing security context will be restored on logout -->
                <module-option name="restore-login-identity">true
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
                <module-option name = "unauthenticatedIdentity">guest
                </module-option>
                <module-option name = "dsJndiName">java:/DefaultDS
                </module-option>
                <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?
                </module-option>
                <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domains for testing new jca framework -->
    <application-policy name = "HsqlDbRealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">sa
                </module-option>
                <module-option name = "userName">sa
                </module-option>
                <module-option name = "password">
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
    <application-policy name = "JmsXARealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">guest
                </module-option>
                <module-option name = "userName">guest
                </module-option>
                <module-option name = "password">guest
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "jmx-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">props/jmx-console-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jmx-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "web-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">web-console-users.properties
                </module-option>
                <module-option name="rolesProperties">web-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!--
      A template configuration for the JBossWS security domain.
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name="JBossWS">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
                <module-option name="usersProperties">props/jbossws-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jbossws-roles.properties
                </module-option>
                <module-option name="unauthenticatedIdentity">anonymous
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- The default login configuration used by any security domain that
    does not have a application-policy entry with a matching name
    -->
    <application-policy name = "other">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
        </authentication>
    </application-policy>


    <application-policy name = "my-web">
        <authentication>
            <login-module
                    code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                    flag = "required">
                <module-option
                         name="usersProperties">
                         props/my-web-users.properties
                </module-option>
                <module-option
                         name="rolesProperties">
                         props/my-web-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>
--------------------

my-web-users.properties
---------
# A sample users.properties file for use with the UsersRolesLoginModule
admin=admin
tester=tester
--------------

my-web-roles.properties
--------------
# A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker
tester=WebAppUser
-------------------
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now