users@glassfish.java.net

Re: JdbcAuthModule

From: Dennis Gesker <gesker_at_alamon.com>
Date: Wed, 07 Jun 2006 16:37:27 -0600

Richter:

<security-role-mapping>
  <role-name>employee</role-name>
  <group-name>employee</group-name>
</security-role-mapping>

to my sun-application.xml file did the trick! Thanks so much for all
your help.

I understand that a jdbcRealm will be released as some point with
Glassfish and I see that your classes have nbcommunity in them. Does
this mean that your jdbcRealm will merge with the one that will be
included in Glassfish?

Dennis



Edson Carlos Ericksson Richter wrote:
> I think you are on the way. As said in article, you must:
>
> 1) Configure server - you have done it, as your logs messages says.
> 2) Configure your web.xml - I think is right to put /protected/*
> 3) Still in web.xml you must put
> <realm-name>jdbcRealmAddOn</realm-name> (the name of the realm you
> created on server)
> 4) In sun-web.xml, you must map every realm in web.xml to groups.
>
> Here is some pieces from xml of one projects I'm working on:
>
> web.xml:
>
> <security-constraint><display-name>Admin constraints</display-name>
> <web-resource-collection>
> <web-resource-name>AdminSecurity</web-resource-name>
> <description/>
> <url-pattern>/secure/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>admin</role-name>
> </auth-constraint>
> <user-data-constraint>
> <description/>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method><!-- you can use 'basic' here -->
> <realm-name>CombineITRealm</realm-name>
> <form-login-config> <!-- if you use BASIC auth method, then no need
> form-login-config -->
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/loginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <description/>
> <role-name>admin</role-name>
> </security-role>
>
>
> And sun-web.xml:
>
> <security-role-mapping>
> <role-name>admin</role-name>
> <group-name>admin</group-name>
> </security-role-mapping>
>
>
> That's all. Everything should run fine, then.
>
>
> Best regards,
>
> Richter
>
>
> PS: when sending mails, send to the list, not need to add me in CC,
> because I receive 2 mails every time...
>
>
> Dennis Gesker escreveu:
>> Richter:
>>
>> I think I'm getting close. I thought that the jdbcRealm was going to map
>> the security-roles for me but this doesn't seem to be happening.
>>
>> To check I tried the following as a test.
>>
>> realm in sun-application.xml to 'jdbcRealmAddOn' <-authentication seems
>> to be working
>> Changed my url to /index.jsp
>> Got a 403
>>
>> Created 'protected' directory and put a new index.jsp in protected
>> directory.
>> Changed my url to /protected/*
>> Still got a 403
>>
>> Changed url back to /index.jsp
>> changed realm in sun-application.xml to 'file'
>> added security-role-mapping to sun-application.xml
>> added user/password to 'file' realm
>> application worked as expected (directed to auth page, authenticated,
>> proceed to index.jsp)
>>
>> changed realm in sun-application.xml to 'jdbcRealmAddOn' <- the one
>> we've been trouble shooting
>> removed security-role-mapping from sun-application.xml
>> got 403
>>
>> added security-role mapping to sun-application.xml
>> application worked as expected (directed to auth page, authenticated,
>> directed to index.jsp)
>>
>> Should the security-mapping be done by the jdbcRealm roles query? Is
>> there something else that I need to configure?
>>
>> Dennis
>>
>> Edson Carlos Ericksson Richter wrote:
>>
>>> Good! You got authentication working. By the messages, there is
>>> nothing wrong with your database, neither with your glassfish.
>>>
>>> So how is your web.xml, specific url-pattern?
>>>
>>> To get it working, you must map url as "/myprotectedfolder/*", so you
>>> protect folder and index.jsp... and everything else bellow this folder.
>>> I got into mistake to put "/myprotectedfolder/" as url pattern, and
>>> got same error (403) you shown...
>>>
>>> Richter
>>>
>>>
>>> Dennis Gesker escreveu:
>>>
>>>> I still seem to be stuck.
>>>>
>>>> I changed the field names and types to usrname varchar(10) and passwd
>>>> varchar(10)
>>>> changed userTable="dbo"."auth"
>>>> changed userRoleTable="dbo"."authrole"
>>>>
>>>> In my logs I can see:
>>>>
>>>> Asked authenticate gesker password will not be shown!|#]
>>>> (JdbcRealm)User gesker valid: true|#] Asked roles for gesker|#]
>>>> JdbcRealm roles query returned employee for gesker|#] JdbcRealm roles
>>>> query returned supervisor for gesker|#] JdbcRealm roles query
>>>> returned manager for gesker|#] JdbcRealm roles query returned admin
>>>> for gesker|#] JdbcRealm roles query returned quality for gesker|#]
>>>> JdbcRealm roles query returned sysadmin for gesker|#]
>>>>
>>>> Which I take as a good sign. But, I get an HTTP Status 403 - Access to
>>>> the requested resource has been denied.
>>>>
>>>> In my test project I only have one file, index.jsp. This file is the
>>>> only file in the web resource collection of my restraint which is
>>>> enabled for 'employee' role name.
>>>>
>>>> Dennis
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Edson Carlos Ericksson Richter wrote:
>>>>
>>>>
>>>>> Hi! This message (JdbcRealm)User gesker valid: false is an indication
>>>>> that this user could not be find on the database using the query
>>>>> "select count(*) from auth where username = ? and password = ?"
>>>>>
>>>>> First of all, have you tried to execute this query standalone?
>>>>>
>>>>> You are using char(10). AFAIK, char(10) is fixed size, so your
>>>>> username should be "gesker " and your password should be
>>>>> "password ". What if you change to "varchar(10)"?
>>>>>
>>>>> Some databases consider "username" and "password" as reserved words
>>>>> (check your docs, I really don't know about MySql). So, I'll suggest
>>>>> to change name of these columns to "usrname" and "passwd" (normally,
>>>>> simple identifiers that will not show any problems).
>>>>>
>>>>> You could connect through NetBeans Database Explorer and execute this
>>>>> queries? May be a permission problem too (must grant select on these
>>>>> tables).
>>>>>
>>>>> Finally... Have you tried to authenticate using Tomcat?
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Richter
>>>>>
>>>>> Dennis Gesker escreveu:
>>>>>
>>>>>> I was attempting to implement a jdbcReal as described at:
>>>>>>
>>>>>> http://jroller.com/page/brviking?entry=glassfish_for_tomcat_users_jdbc
>>>>>>
>>>>>>
>>>>>>
>>>>>> *
>>>>>> However, I seem have run into some trouble as I keep getting this
>>>>>> module to work and I'm wondering if there is something special
>>>>>> required with regard to the setup of the database tables (sql
>>>>>> below).
>>>>>> I was
>>>>>> suprised to see a stack trace as opposed to just a 'login failed
>>>>>> message':*
>>>>>>
>>>>>>
>>>>>> (JdbcRealm)User gesker valid: false|#]
>>>>>>
>>>>>> com.sun.enterprise.security.LoginException: (JdbcLoginModule) Login
>>>>>> failed!
>>>>>> at
>>>>>> org.nbcommunity.glassfish.jdbcAuthModule.JdbcLoginModule.authenticate(JdbcLoginModule.java:61)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:77)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:171)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at sun.reflect.GeneratedMethodAccessor78.invoke(Unknown
>>>>>> Source)
>>>>>> at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at java.lang.reflect.Method.invoke(Method.java:585)
>>>>>> at
>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
>>>>>> at
>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>>>> at java.security.AccessController.doPrivileged(Native
>>>>>> Method)
>>>>>> at
>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>>>> at
>>>>>> com.sun.enterprise.security.auth.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:283)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:158)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:111)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:419)
>>>>>>
>>>>>> at
>>>>>> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:359)
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:238)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:534)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:557)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:73)
>>>>>> at
>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
>>>>>>
>>>>>> at
>>>>>> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:231)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.invokeAdapter(ProcessorTask.java:667)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.processNonBlocked(ProcessorTask.java:574)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:844)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.connector.grizzly.ReadTask.executeProcessorTask(ReadTask.java:287)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.connector.grizzly.ReadTask.doTask(ReadTask.java:212)
>>>>>>
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:75)
>>>>>>
>>>>>>
>>>>>>
>>>>>> |#]
>>>>>> JAAS authentication aborted.
>>>>>> SEC5046: Audit: Authentication refused for [gesker].
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *
>>>>>> On startup of the server I see in the logs:*
>>>>>>
>>>>>>
>>>>>> JdbcRealm initialization successfull, debug on! JdbcRealm will
>>>>>> execute queries against jdbc/operations|#] JdbcRealm will login with
>>>>>> select count(*) from auth where username = ? and password = ?|#]
>>>>>> JdbcRealm will get roles with select role from authrole where
>>>>>> username = ?|#] JdbcRealm will get all roles with select distinct
>>>>>> role from authrole|#]
>>>>>> [snip]
>>>>>> Logging in user [gesker] into realm: jdbcRealmAddOn using JAAS
>>>>>> module: jdbcRealm
>>>>>> Login module initialized: class
>>>>>> org.nbcommunity.glassfish.jdbcAuthModule.JdbcLoginModule
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Which leads me to believe that I have most of the configuration
>>>>>> options correct. My sql to setup my database tables is pretty
>>>>>> straight forward as well:*
>>>>>>
>>>>>> create table auth(
>>>>>> id int NOT NULL IDENTITY PRIMARY KEY,
>>>>>> username char(10) NOT NULL UNIQUE,
>>>>>> password char(10) NOT NULL
>>>>>> )
>>>>>>
>>>>>> create table authrole(
>>>>>> id int NOT NULL IDENTITY PRIMARY KEY,
>>>>>> username char(10) NOT NULL REFERENCES auth(username) ON UPDATE
>>>>>> CASCADE ON DELETE CASCADE,
>>>>>> role char(10) NOT NULL,
>>>>>> rolecode char(10)
>>>>>> )
>>>>>>
>>>>>> insert into auth(username, password) values ('gesker','password')
>>>>>> insert into authrole (username, role) values ('gesker','employee')
>>>>>> insert into authrole (username, role) values ('gesker','supervisor')
>>>>>> insert into authrole (username, role) values ('gesker','manager')
>>>>>> insert into authrole (username, role) values ('gesker','admin')
>>>>>> insert into authrole (username, role) values ('gesker','quality')
>>>>>> insert into authrole (username, role) values ('gesker','sysadmin')
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Could someone offer a hint?
>>>>>>
>>>>>> Dennis
>>>>>> *
>>>>>>
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net 

-- 
Dennis R. Gesker
email: dennis_at_alamon.com
gpg key: 0xEFA10A51
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.