Solved

Secure A Portlet Via Username/Password Authentication

Posted on 2008-10-28
2
639 Views
Last Modified: 2013-12-02
Experts,
  I have a portlet that I successfully got it to deploy and run in JBOSS.  Now I would like to add a simple security measure to require the users to provide a valid username/password before they can use the portlet.  I read and followed the instructions provided at here:
http://www.jboss.org/community/docs/DOC-12185 and here
http://www.jboss.org/community/docs/DOC-10760 and yet whenever I deploy and access my portlet it came right up - there were no login dialog box that came up.

Is  this the best way to handle user authentication?  Do you have another recommendation on how I can achieve this?

Thanks,
jc
0
Comment
Question by:johnchan2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 19

Accepted Solution

by:
ramazanyich earned 125 total points
ID: 22829250
could you provide your web.xml and jboss-web.xml  from you WAR file and $JBOSS_HOME/server/<your-node>/conf/login-config.xml files ?

Probably some naming errors inside those files.

0
 
LVL 1

Author Comment

by:johnchan2000
ID: 22831374
Thanks for the response.  Below are the contents for those files

web.xml
---
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
   "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
   "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All resources</web-resource-name>
            <description>Protects all resources</description>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WebAppUser</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>WebAppUser</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
    </login-config>
</web-app>
-------



jboss-web.xml (SEE LAST ENTRY OF THIS FILE)
----
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
<security-domain>java:/jaas/my-web</security-domain>
</jboss-web>
------

login-config.xml
---------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
        <authentication>
            <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             <!-- Any existing security context will be restored on logout -->
                <module-option name="restore-login-identity">true
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
                <module-option name = "unauthenticatedIdentity">guest
                </module-option>
                <module-option name = "dsJndiName">java:/DefaultDS
                </module-option>
                <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?
                </module-option>
                <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domains for testing new jca framework -->
    <application-policy name = "HsqlDbRealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">sa
                </module-option>
                <module-option name = "userName">sa
                </module-option>
                <module-option name = "password">
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
    <application-policy name = "JmsXARealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">guest
                </module-option>
                <module-option name = "userName">guest
                </module-option>
                <module-option name = "password">guest
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "jmx-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">props/jmx-console-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jmx-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "web-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">web-console-users.properties
                </module-option>
                <module-option name="rolesProperties">web-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!--
      A template configuration for the JBossWS security domain.
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name="JBossWS">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
                <module-option name="usersProperties">props/jbossws-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jbossws-roles.properties
                </module-option>
                <module-option name="unauthenticatedIdentity">anonymous
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- The default login configuration used by any security domain that
    does not have a application-policy entry with a matching name
    -->
    <application-policy name = "other">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
        </authentication>
    </application-policy>


    <application-policy name = "my-web">
        <authentication>
            <login-module
                    code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                    flag = "required">
                <module-option
                         name="usersProperties">
                         props/my-web-users.properties
                </module-option>
                <module-option
                         name="rolesProperties">
                         props/my-web-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>
--------------------

my-web-users.properties
---------
# A sample users.properties file for use with the UsersRolesLoginModule
admin=admin
tester=tester
--------------

my-web-roles.properties
--------------
# A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker
tester=WebAppUser
-------------------
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HyperText Transfer Protocol (http://www.ietf.org/rfc/rfc2616.txt) or "HTTP" is the underpinning of internet communication.  As a teacher of web development I have heard many questions, mostly from my younger students who have come to t…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question