I think you are on the way. As said in article, you must:
1) Configure server - you have done it, as your logs messages says.
2) Configure your web.xml - I think is right to put /protected/*
3) Still in web.xml you must put <realm-name>jdbcRealmAddOn</realm-name>
(the name of the realm you created on server)
4) In sun-web.xml, you must map every realm in web.xml to groups.
Here is some pieces from xml of one projects I'm working on:
web.xml:
<security-constraint><display-name>Admin constraints</display-name>
<web-resource-collection>
<web-resource-name>AdminSecurity</web-resource-name>
<description/>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method><!-- you can use 'basic' here -->
<realm-name>CombineITRealm</realm-name>
<form-login-config> <!-- if you use BASIC auth method, then no need
form-login-config -->
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
And sun-web.xml:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
</security-role-mapping>
That's all. Everything should run fine, then.
Best regards,
Richter
PS: when sending mails, send to the list, not need to add me in CC,
because I receive 2 mails every time...
Dennis Gesker escreveu:
> Richter:
>
> I think I'm getting close. I thought that the jdbcRealm was going to map
> the security-roles for me but this doesn't seem to be happening.
>
> To check I tried the following as a test.
>
> realm in sun-application.xml to 'jdbcRealmAddOn' <-authentication seems
> to be working
> Changed my url to /index.jsp
> Got a 403
>
> Created 'protected' directory and put a new index.jsp in protected
> directory.
> Changed my url to /protected/*
> Still got a 403
>
> Changed url back to /index.jsp
> changed realm in sun-application.xml to 'file'
> added security-role-mapping to sun-application.xml
> added user/password to 'file' realm
> application worked as expected (directed to auth page, authenticated,
> proceed to index.jsp)
>
> changed realm in sun-application.xml to 'jdbcRealmAddOn' <- the one
> we've been trouble shooting
> removed security-role-mapping from sun-application.xml
> got 403
>
> added security-role mapping to sun-application.xml
> application worked as expected (directed to auth page, authenticated,
> directed to index.jsp)
>
> Should the security-mapping be done by the jdbcRealm roles query? Is
> there something else that I need to configure?
>
> Dennis
>
> Edson Carlos Ericksson Richter wrote:
>
>> Good! You got authentication working. By the messages, there is
>> nothing wrong with your database, neither with your glassfish.
>>
>> So how is your web.xml, specific url-pattern?
>>
>> To get it working, you must map url as "/myprotectedfolder/*", so you
>> protect folder and index.jsp... and everything else bellow this folder.
>> I got into mistake to put "/myprotectedfolder/" as url pattern, and
>> got same error (403) you shown...
>>
>> Richter
>>
>>
>> Dennis Gesker escreveu:
>>
>>> I still seem to be stuck.
>>>
>>> I changed the field names and types to usrname varchar(10) and passwd
>>> varchar(10)
>>> changed userTable="dbo"."auth"
>>> changed userRoleTable="dbo"."authrole"
>>>
>>> In my logs I can see:
>>>
>>> Asked authenticate gesker password will not be shown!|#]
>>> (JdbcRealm)User gesker valid: true|#] Asked roles for gesker|#]
>>> JdbcRealm roles query returned employee for gesker|#] JdbcRealm roles
>>> query returned supervisor for gesker|#] JdbcRealm roles query
>>> returned manager for gesker|#] JdbcRealm roles query returned admin
>>> for gesker|#] JdbcRealm roles query returned quality for gesker|#]
>>> JdbcRealm roles query returned sysadmin for gesker|#]
>>>
>>> Which I take as a good sign. But, I get an HTTP Status 403 - Access to
>>> the requested resource has been denied.
>>>
>>> In my test project I only have one file, index.jsp. This file is the
>>> only file in the web resource collection of my restraint which is
>>> enabled for 'employee' role name.
>>>
>>> Dennis
>>>
>>>
>>>
>>>
>>>
>>> Edson Carlos Ericksson Richter wrote:
>>>
>>>
>>>> Hi! This message (JdbcRealm)User gesker valid: false is an indication
>>>> that this user could not be find on the database using the query
>>>> "select count(*) from auth where username = ? and password = ?"
>>>>
>>>> First of all, have you tried to execute this query standalone?
>>>>
>>>> You are using char(10). AFAIK, char(10) is fixed size, so your
>>>> username should be "gesker " and your password should be
>>>> "password ". What if you change to "varchar(10)"?
>>>>
>>>> Some databases consider "username" and "password" as reserved words
>>>> (check your docs, I really don't know about MySql). So, I'll suggest
>>>> to change name of these columns to "usrname" and "passwd" (normally,
>>>> simple identifiers that will not show any problems).
>>>>
>>>> You could connect through NetBeans Database Explorer and execute this
>>>> queries? May be a permission problem too (must grant select on these
>>>> tables).
>>>>
>>>> Finally... Have you tried to authenticate using Tomcat?
>>>>
>>>> Best regards,
>>>>
>>>> Richter
>>>>
>>>> Dennis Gesker escreveu:
>>>>
>>>>
>>>>> I was attempting to implement a jdbcReal as described at:
>>>>>
>>>>> http://jroller.com/page/brviking?entry=glassfish_for_tomcat_users_jdbc
>>>>>
>>>>>
>>>>> *
>>>>> However, I seem have run into some trouble as I keep getting this
>>>>> module to work and I'm wondering if there is something special
>>>>> required with regard to the setup of the database tables (sql below).
>>>>> I was
>>>>> suprised to see a stack trace as opposed to just a 'login failed
>>>>> message':*
>>>>>
>>>>>
>>>>> (JdbcRealm)User gesker valid: false|#]
>>>>>
>>>>> com.sun.enterprise.security.LoginException: (JdbcLoginModule) Login
>>>>> failed!
>>>>> at
>>>>> org.nbcommunity.glassfish.jdbcAuthModule.JdbcLoginModule.authenticate(JdbcLoginModule.java:61)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:77)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:171)
>>>>>
>>>>>
>>>>> at sun.reflect.GeneratedMethodAccessor78.invoke(Unknown
>>>>> Source)
>>>>> at
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>
>>>>>
>>>>> at java.lang.reflect.Method.invoke(Method.java:585)
>>>>> at
>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
>>>>> at
>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
>>>>>
>>>>> at
>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at
>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>>>>>
>>>>> at
>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>>> at
>>>>> com.sun.enterprise.security.auth.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:283)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:158)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:111)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:419)
>>>>> at
>>>>> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:359)
>>>>> at
>>>>> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:238)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:534)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:557)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:73)
>>>>> at
>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
>>>>> at
>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
>>>>> at
>>>>> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:231)
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.invokeAdapter(ProcessorTask.java:667)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.processNonBlocked(ProcessorTask.java:574)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:844)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.connector.grizzly.ReadTask.executeProcessorTask(ReadTask.java:287)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.connector.grizzly.ReadTask.doTask(ReadTask.java:212)
>>>>>
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
>>>>>
>>>>> at
>>>>> com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:75)
>>>>>
>>>>>
>>>>> |#]
>>>>> JAAS authentication aborted.
>>>>> SEC5046: Audit: Authentication refused for [gesker].
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *
>>>>> On startup of the server I see in the logs:*
>>>>>
>>>>>
>>>>> JdbcRealm initialization successfull, debug on! JdbcRealm will
>>>>> execute queries against jdbc/operations|#] JdbcRealm will login with
>>>>> select count(*) from auth where username = ? and password = ?|#]
>>>>> JdbcRealm will get roles with select role from authrole where
>>>>> username = ?|#] JdbcRealm will get all roles with select distinct
>>>>> role from authrole|#]
>>>>> [snip]
>>>>> Logging in user [gesker] into realm: jdbcRealmAddOn using JAAS
>>>>> module: jdbcRealm
>>>>> Login module initialized: class
>>>>> org.nbcommunity.glassfish.jdbcAuthModule.JdbcLoginModule
>>>>>
>>>>>
>>>>>
>>>>> *Which leads me to believe that I have most of the configuration
>>>>> options correct. My sql to setup my database tables is pretty
>>>>> straight forward as well:*
>>>>>
>>>>> create table auth(
>>>>> id int NOT NULL IDENTITY PRIMARY KEY,
>>>>> username char(10) NOT NULL UNIQUE,
>>>>> password char(10) NOT NULL
>>>>> )
>>>>>
>>>>> create table authrole(
>>>>> id int NOT NULL IDENTITY PRIMARY KEY,
>>>>> username char(10) NOT NULL REFERENCES auth(username) ON UPDATE
>>>>> CASCADE ON DELETE CASCADE,
>>>>> role char(10) NOT NULL,
>>>>> rolecode char(10)
>>>>> )
>>>>>
>>>>> insert into auth(username, password) values ('gesker','password')
>>>>> insert into authrole (username, role) values ('gesker','employee')
>>>>> insert into authrole (username, role) values ('gesker','supervisor')
>>>>> insert into authrole (username, role) values ('gesker','manager')
>>>>> insert into authrole (username, role) values ('gesker','admin')
>>>>> insert into authrole (username, role) values ('gesker','quality')
>>>>> insert into authrole (username, role) values ('gesker','sysadmin')
>>>>>
>>>>>
>>>>>
>>>>> *Could someone offer a hint?
>>>>>
>>>>> Dennis
>>>>> *
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
>