Solved

Secure A Portlet Via Username/Password Authentication

Posted on 2008-10-28
2
630 Views
Last Modified: 2013-12-02
Experts,
  I have a portlet that I successfully got it to deploy and run in JBOSS.  Now I would like to add a simple security measure to require the users to provide a valid username/password before they can use the portlet.  I read and followed the instructions provided at here:
http://www.jboss.org/community/docs/DOC-12185 and here
http://www.jboss.org/community/docs/DOC-10760 and yet whenever I deploy and access my portlet it came right up - there were no login dialog box that came up.

Is  this the best way to handle user authentication?  Do you have another recommendation on how I can achieve this?

Thanks,
jc
0
Comment
Question by:johnchan2000
2 Comments
 
LVL 19

Accepted Solution

by:
ramazanyich earned 125 total points
ID: 22829250
could you provide your web.xml and jboss-web.xml  from you WAR file and $JBOSS_HOME/server/<your-node>/conf/login-config.xml files ?

Probably some naming errors inside those files.

0
 
LVL 1

Author Comment

by:johnchan2000
ID: 22831374
Thanks for the response.  Below are the contents for those files

web.xml
---
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
   "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
   "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All resources</web-resource-name>
            <description>Protects all resources</description>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WebAppUser</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>WebAppUser</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
    </login-config>
</web-app>
-------



jboss-web.xml (SEE LAST ENTRY OF THIS FILE)
----
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
<security-domain>java:/jaas/my-web</security-domain>
</jboss-web>
------

login-config.xml
---------
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
        <authentication>
            <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             <!-- Any existing security context will be restored on logout -->
                <module-option name="restore-login-identity">true
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
                <module-option name = "unauthenticatedIdentity">guest
                </module-option>
                <module-option name = "dsJndiName">java:/DefaultDS
                </module-option>
                <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?
                </module-option>
                <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- Security domains for testing new jca framework -->
    <application-policy name = "HsqlDbRealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">sa
                </module-option>
                <module-option name = "userName">sa
                </module-option>
                <module-option name = "password">
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
    <application-policy name = "JmsXARealm">
        <authentication>
            <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
                <module-option name = "principal">guest
                </module-option>
                <module-option name = "userName">guest
                </module-option>
                <module-option name = "password">guest
                </module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "jmx-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">props/jmx-console-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jmx-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "web-console">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
                <module-option name="usersProperties">web-console-users.properties
                </module-option>
                <module-option name="rolesProperties">web-console-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!--
      A template configuration for the JBossWS security domain.
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name="JBossWS">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
                <module-option name="usersProperties">props/jbossws-users.properties
                </module-option>
                <module-option name="rolesProperties">props/jbossws-roles.properties
                </module-option>
                <module-option name="unauthenticatedIdentity">anonymous
                </module-option>
            </login-module>
        </authentication>
    </application-policy>

    <!-- The default login configuration used by any security domain that
    does not have a application-policy entry with a matching name
    -->
    <application-policy name = "other">
        <authentication>
            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
        </authentication>
    </application-policy>


    <application-policy name = "my-web">
        <authentication>
            <login-module
                    code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                    flag = "required">
                <module-option
                         name="usersProperties">
                         props/my-web-users.properties
                </module-option>
                <module-option
                         name="rolesProperties">
                         props/my-web-roles.properties
                </module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>
--------------------

my-web-users.properties
---------
# A sample users.properties file for use with the UsersRolesLoginModule
admin=admin
tester=tester
--------------

my-web-roles.properties
--------------
# A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker
tester=WebAppUser
-------------------
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problem with Connection / Parameter: 4 21
How to create web api to extract oracle data using php 4 76
502 - Web server received an invalid response 4 93
WEB Farm 6 76
There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task. You need three things…
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question