Hi Dennis,
If you checkout the glassfish code, then you can get the JDBCRealm now.
I think it should be available in tonight build, too.
I am going to write a blog to explain how to use that.
Thanks.
Shing Wai Chan
Dennis Gesker wrote:
> Richter:
>
> <security-role-mapping>
> <role-name>employee</role-name>
> <group-name>employee</group-name>
> </security-role-mapping>
>
> to my sun-application.xml file did the trick! Thanks so much for all
> your help.
>
> I understand that a jdbcRealm will be released as some point with
> Glassfish and I see that your classes have nbcommunity in them. Does
> this mean that your jdbcRealm will merge with the one that will be
> included in Glassfish?
>
> Dennis
>
>
>
> Edson Carlos Ericksson Richter wrote:
>
>> I think you are on the way. As said in article, you must:
>>
>> 1) Configure server - you have done it, as your logs messages says.
>> 2) Configure your web.xml - I think is right to put /protected/*
>> 3) Still in web.xml you must put
>> <realm-name>jdbcRealmAddOn</realm-name> (the name of the realm you
>> created on server)
>> 4) In sun-web.xml, you must map every realm in web.xml to groups.
>>
>> Here is some pieces from xml of one projects I'm working on:
>>
>> web.xml:
>>
>> <security-constraint><display-name>Admin constraints</display-name>
>> <web-resource-collection>
>> <web-resource-name>AdminSecurity</web-resource-name>
>> <description/>
>> <url-pattern>/secure/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> <http-method>HEAD</http-method>
>> <http-method>PUT</http-method>
>> <http-method>OPTIONS</http-method>
>> <http-method>TRACE</http-method>
>> <http-method>DELETE</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <description/>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <description/>
>> <transport-guarantee>NONE</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>FORM</auth-method><!-- you can use 'basic' here -->
>> <realm-name>CombineITRealm</realm-name>
>> <form-login-config> <!-- if you use BASIC auth method, then no need
>> form-login-config -->
>> <form-login-page>/login.jsp</form-login-page>
>> <form-error-page>/loginError.jsp</form-error-page>
>> </form-login-config>
>> </login-config>
>> <security-role>
>> <description/>
>> <role-name>admin</role-name>
>> </security-role>
>>
>>
>> And sun-web.xml:
>>
>> <security-role-mapping>
>> <role-name>admin</role-name>
>> <group-name>admin</group-name>
>> </security-role-mapping>
>>
>>
>> That's all. Everything should run fine, then.
>>
>>
>> Best regards,
>>
>> Richter
>>
>>
>> PS: when sending mails, send to the list, not need to add me in CC,
>> because I receive 2 mails every time...
>>
>>
>> Dennis Gesker escreveu:
>>
>>> Richter:
>>>
>>> I think I'm getting close. I thought that the jdbcRealm was going to map
>>> the security-roles for me but this doesn't seem to be happening.
>>>
>>> To check I tried the following as a test.
>>>
>>> realm in sun-application.xml to 'jdbcRealmAddOn' <-authentication seems
>>> to be working
>>> Changed my url to /index.jsp
>>> Got a 403
>>>
>>> Created 'protected' directory and put a new index.jsp in protected
>>> directory.
>>> Changed my url to /protected/*
>>> Still got a 403
>>>
>>> Changed url back to /index.jsp
>>> changed realm in sun-application.xml to 'file'
>>> added security-role-mapping to sun-application.xml
>>> added user/password to 'file' realm
>>> application worked as expected (directed to auth page, authenticated,
>>> proceed to index.jsp)
>>>
>>> changed realm in sun-application.xml to 'jdbcRealmAddOn' <- the one
>>> we've been trouble shooting
>>> removed security-role-mapping from sun-application.xml
>>> got 403
>>>
>>> added security-role mapping to sun-application.xml
>>> application worked as expected (directed to auth page, authenticated,
>>> directed to index.jsp)
>>>
>>> Should the security-mapping be done by the jdbcRealm roles query? Is
>>> there something else that I need to configure?
>>>
>>> Dennis
>>>
>>> Edson Carlos Ericksson Richter wrote:
>>>
>>>
>>>> Good! You got authentication working. By the messages, there is
>>>> nothing wrong with your database, neither with your glassfish.
>>>>
>>>> So how is your web.xml, specific url-pattern?
>>>>
>>>> To get it working, you must map url as "/myprotectedfolder/*", so you
>>>> protect folder and index.jsp... and everything else bellow this folder.
>>>> I got into mistake to put "/myprotectedfolder/" as url pattern, and
>>>> got same error (403) you shown...
>>>>
>>>> Richter
>>>>
>>>>
>>>> Dennis Gesker escreveu:
>>>>
>>>>
>>>>> I still seem to be stuck.
>>>>>
>>>>> I changed the field names and types to usrname varchar(10) and passwd
>>>>> varchar(10)
>>>>> changed userTable="dbo"."auth"
>>>>> changed userRoleTable="dbo"."authrole"
>>>>>
>>>>> In my logs I can see:
>>>>>
>>>>> Asked authenticate gesker password will not be shown!|#]
>>>>> (JdbcRealm)User gesker valid: true|#] Asked roles for gesker|#]
>>>>> JdbcRealm roles query returned employee for gesker|#] JdbcRealm roles
>>>>> query returned supervisor for gesker|#] JdbcRealm roles query
>>>>> returned manager for gesker|#] JdbcRealm roles query returned admin
>>>>> for gesker|#] JdbcRealm roles query returned quality for gesker|#]
>>>>> JdbcRealm roles query returned sysadmin for gesker|#]
>>>>>
>>>>> Which I take as a good sign. But, I get an HTTP Status 403 - Access to
>>>>> the requested resource has been denied.
>>>>>
>>>>> In my test project I only have one file, index.jsp. This file is the
>>>>> only file in the web resource collection of my restraint which is
>>>>> enabled for 'employee' role name.
>>>>>
>>>>> Dennis
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Edson Carlos Ericksson Richter wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Hi! This message (JdbcRealm)User gesker valid: false is an indication
>>>>>> that this user could not be find on the database using the query
>>>>>> "select count(*) from auth where username = ? and password = ?"
>>>>>>
>>>>>> First of all, have you tried to execute this query standalone?
>>>>>>
>>>>>> You are using char(10). AFAIK, char(10) is fixed size, so your
>>>>>> username should be "gesker " and your password should be
>>>>>> "password ". What if you change to "varchar(10)"?
>>>>>>
>>>>>> Some databases consider "username" and "password" as reserved words
>>>>>> (check your docs, I really don't know about MySql). So, I'll suggest
>>>>>> to change name of these columns to "usrname" and "passwd" (normally,
>>>>>> simple identifiers that will not show any problems).
>>>>>>
>>>>>> You could connect through NetBeans Database Explorer and execute this
>>>>>> queries? May be a permission problem too (must grant select on these
>>>>>> tables).
>>>>>>
>>>>>> Finally... Have you tried to authenticate using Tomcat?
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Richter
>>>>>>
>>>>>> Dennis Gesker escreveu:
>>>>>>
>>>>>>
>>>>>>> I was attempting to implement a jdbcReal as described at:
>>>>>>>
>>>>>>> http://jroller.com/page/brviking?entry=glassfish_for_tomcat_users_jdbc
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *
>>>>>>> However, I seem have run into some trouble as I keep getting this
>>>>>>> module to work and I'm wondering if there is something special
>>>>>>> required with regard to the setup of the database tables (sql
>>>>>>> below).
>>>>>>> I was
>>>>>>> suprised to see a stack trace as opposed to just a 'login failed
>>>>>>> message':*
>>>>>>>
>>>>>>>
>>>>>>> (JdbcRealm)User gesker valid: false|#]
>>>>>>>
>>>>>>> com.sun.enterprise.security.LoginException: (JdbcLoginModule) Login
>>>>>>> failed!
>>>>>>> at
>>>>>>> org.nbcommunity.glassfish.jdbcAuthModule.JdbcLoginModule.authenticate(JdbcLoginModule.java:61)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:77)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:171)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at sun.reflect.GeneratedMethodAccessor78.invoke(Unknown
>>>>>>> Source)
>>>>>>> at
>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at java.lang.reflect.Method.invoke(Method.java:585)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>>>>> at java.security.AccessController.doPrivileged(Native
>>>>>>> Method)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>>>>> at
>>>>>>> com.sun.enterprise.security.auth.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:283)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:158)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.security.auth.LoginContextDriver.login(LoginContextDriver.java:111)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:419)
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:359)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:238)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:534)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:557)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:73)
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:231)
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.invokeAdapter(ProcessorTask.java:667)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.processNonBlocked(ProcessorTask.java:574)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:844)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.connector.grizzly.ReadTask.executeProcessorTask(ReadTask.java:287)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.connector.grizzly.ReadTask.doTask(ReadTask.java:212)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:75)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> |#]
>>>>>>> JAAS authentication aborted.
>>>>>>> SEC5046: Audit: Authentication refused for [gesker].
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *
>>>>>>> On startup of the server I see in the logs:*
>>>>>>>
>>>>>>>
>>>>>>> JdbcRealm initialization successfull, debug on! JdbcRealm will
>>>>>>> execute queries against jdbc/operations|#] JdbcRealm will login with
>>>>>>> select count(*) from auth where username = ? and password = ?|#]
>>>>>>> JdbcRealm will get roles with select role from authrole where
>>>>>>> username = ?|#] JdbcRealm will get all roles with select distinct
>>>>>>> role from authrole|#]
>>>>>>> [snip]
>>>>>>> Logging in user [gesker] into realm: jdbcRealmAddOn using JAAS
>>>>>>> module: jdbcRealm
>>>>>>> Login module initialized: class
>>>>>>> org.nbcommunity.glassfish.jdbcAuthModule.JdbcLoginModule
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *Which leads me to believe that I have most of the configuration
>>>>>>> options correct. My sql to setup my database tables is pretty
>>>>>>> straight forward as well:*
>>>>>>>
>>>>>>> create table auth(
>>>>>>> id int NOT NULL IDENTITY PRIMARY KEY,
>>>>>>> username char(10) NOT NULL UNIQUE,
>>>>>>> password char(10) NOT NULL
>>>>>>> )
>>>>>>>
>>>>>>> create table authrole(
>>>>>>> id int NOT NULL IDENTITY PRIMARY KEY,
>>>>>>> username char(10) NOT NULL REFERENCES auth(username) ON UPDATE
>>>>>>> CASCADE ON DELETE CASCADE,
>>>>>>> role char(10) NOT NULL,
>>>>>>> rolecode char(10)
>>>>>>> )
>>>>>>>
>>>>>>> insert into auth(username, password) values ('gesker','password')
>>>>>>> insert into authrole (username, role) values ('gesker','employee')
>>>>>>> insert into authrole (username, role) values ('gesker','supervisor')
>>>>>>> insert into authrole (username, role) values ('gesker','manager')
>>>>>>> insert into authrole (username, role) values ('gesker','admin')
>>>>>>> insert into authrole (username, role) values ('gesker','quality')
>>>>>>> insert into authrole (username, role) values ('gesker','sysadmin')
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *Could someone offer a hint?
>>>>>>>
>>>>>>> Dennis
>>>>>>> *
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
>