Solved

Secure A Portlet Via Username/Password Authentication

Posted on 2008-10-28
2
625 Views
Last Modified: 2013-12-02
Experts,
  I have a portlet that I successfully got it to deploy and run in JBOSS.  Now I would like to add a simple security measure to require the users to provide a valid username/password before they can use the portlet.  I read and followed the instructions provided at here:
http://www.jboss.org/community/docs/DOC-12185 and here
http://www.jboss.org/community/docs/DOC-10760 and yet whenever I deploy and access my portlet it came right up - there were no login dialog box that came up.

Is  this the best way to handle user authentication?  Do you have another recommendation on how I can achieve this?

Thanks,
jc
0
Comment
Question by:johnchan2000
2 Comments
 
LVL 19

Accepted Solution

by:
ramazanyich earned 125 total points
ID: 22829250
could you provide your web.xml and jboss-web.xml  from you WAR file and $JBOSS_HOME/server/<your-node>/conf/login-config.xml files ?

Probably some naming errors inside those files.

0
 
LVL 1

Author Comment

by:johnchan2000
ID: 22831374
Thanks for the response.  Below are the contents for those files

web.xml
---
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
   "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
   "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All resources</web-resource-name>
            <description>Protects all resources</description>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WebAppUser</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>WebAppUser</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
    </login-config>
</web-app>
-------



jboss-web.xml (SEE LAST ENTRY OF THIS FILE)
----
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
<security-domain>java:/jaas/my-web</security-domain>
</jboss-web>
------

login-config.xml
---------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
        <authentication>
            <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             <!-- Any existing security context will be restored on logout -->
                <module-option name="restore-login-identity">true
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
                <module-option name = "unauthenticatedIdentity">guest
                </module-option>
                <module-option name = "dsJndiName">java:/DefaultDS
                </module-option>
                <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?
                </module-option>
                <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domains for testing new jca framework -->
    <application-policy name = "HsqlDbRealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">sa
                </module-option>
                <module-option name = "userName">sa
                </module-option>
                <module-option name = "password">
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
    <application-policy name = "JmsXARealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">guest
                </module-option>
                <module-option name = "userName">guest
                </module-option>
                <module-option name = "password">guest
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "jmx-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">props/jmx-console-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jmx-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "web-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">web-console-users.properties
                </module-option>
                <module-option name="rolesProperties">web-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!--
      A template configuration for the JBossWS security domain.
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name="JBossWS">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
                <module-option name="usersProperties">props/jbossws-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jbossws-roles.properties
                </module-option>
                <module-option name="unauthenticatedIdentity">anonymous
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- The default login configuration used by any security domain that
    does not have a application-policy entry with a matching name
    -->
    <application-policy name = "other">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
        </authentication>
    </application-policy>


    <application-policy name = "my-web">
        <authentication>
            <login-module
                    code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                    flag = "required">
                <module-option
                         name="usersProperties">
                         props/my-web-users.properties
                </module-option>
                <module-option
                         name="rolesProperties">
                         props/my-web-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>
--------------------

my-web-users.properties
---------
# A sample users.properties file for use with the UsersRolesLoginModule
admin=admin
tester=tester
--------------

my-web-roles.properties
--------------
# A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker
tester=WebAppUser
-------------------
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (May 2015) This web page has appeared at Google.  It's definitely worth considering! https://www.google.com/about/careers/students/guide-to-technical-development.html How to Know You are Making a Difference at EE In August, 2013, one …
Using Quotation Marks in PHP This question (http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28217211.html) seems to come up a lot for developers who are new to PHP.  And it got me thinking, "How can we explain the rule…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now