1

I have a problem with jaas and jboss. I try to authenticate users against a database using form based method but jboss tells me the password are wrong (no, the password is correct), but if i use UsersRolesLoginModule with properties files, no problem.

In the pg database in debug mode the query that JBoss does seems ok, The password in database for now are in plain text (without hash)

Here is my login-config.xml file

<application-policy name = "AP">
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
             <module-option name = "dsJndiName">java:/authDS</module-option>
             <module-option name = "principalsQuery">SELECT password FROM users WHERE login = ?</module-option>
             <module-option name = "rolesQuery">SELECT roles.name AS roles FROM roles WHERE roles.id IN 
                        (SELECT users_roles.roleid FROM users_roles WHERE users_roles.userid IN 
                        (SELECT users.id FROM users WHERE login = ?))</module-option>
             <!-- <module-option name="hashAlgorithm">MD5</module-option> -->
             <!-- <module-option name="hashEncoding">base64</module-option> -->
             <!-- <module-option name="hashEncoding">HEX</module-option> -->
             <!-- <module-option name="hashAlgorithm">SHA-1</module-option> -->
             <!-- <module-option name="digestCallback">com.myclass.MyDigestCallback</module-option>-->
          </login-module>
       </authentication>
    </application-policy>

web.xml file:

<security-constraint>
     <web-resource-collection>
       <web-resource-name>Restrict Access</web-resource-name>
       <description></description>
       <url-pattern>/admin/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>AdminRole</role-name>
     </auth-constraint>
   </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>ASM AD Authentication</realm-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/login.jsp</form-error-page>
       </form-login-config>
    </login-config>

    <security-role>
      <role-name>AdminRole</role-name>
   </security-role>

jboss-web.xml

<jboss-web>
      <security-domain>java:/jaas/Admin</security-domain>
</jboss-web>

login.jsp

<form method="post" action="j_security_check">
    <fieldset>
        <legend>Login</legend>
        <p>
            <label for="form-username">Username</label>
            <input type="text" name="j_username" id="form-username" />
        </p>
        <p>
            <label for="form-password">Password</label>
            <input type="password" name="j_password" id="form-password" />
        </p>
        <p>
            <input type="submit" value="GO" />
        </p>
    </fieldset>
</form>
4

3 回答 3

1

你能做这样的事情吗?

   <application-policy name = "AP">
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
             <module-option name = "dsJndiName">java:/authDS</module-option>
             <module-option name = "principalsQuery">SELECT password FROM users WHERE login = ? and idcompania=? </module-option>
             <module-option name = "rolesQuery">SELECT roles.name AS roles FROM roles WHERE roles.id IN 
                                        (SELECT users_roles.roleid FROM users_roles WHERE users_roles.userid IN 
                                        (SELECT users.id FROM users WHERE login = ? and idcompania=? ))</module-option>
             <!-- <module-option name="hashAlgorithm">MD5</module-option> -->
             <!-- <module-option name="hashEncoding">base64</module-option> -->
             <!-- <module-option name="hashEncoding">HEX</module-option> -->
             <!-- <module-option name="hashAlgorithm">SHA-1</module-option> -->
             <!-- <module-option name="digestCallback">com.myclass.MyDigestCallback</module-option>-->
          </login-module>
       </authentication>
    </application-policy>
于 2011-11-14T20:25:31.780 回答
1 
<application-policy name = "AP"> change to <application-policy name = "Admin">

或者

<security-domain>java:/jaas/Admin</security-domain> change to

<security-domain>java:/jaas/AP</security-domain>
于 2009-07-21T13:44:37.033 回答
0

从您的示例中,您需要使用 DatabaseServerLoginModule 实现进行身份验证:

  • 在 web.xml 中,您不需要使用 REALM 标记。
  • 您必须在 jboss-web.xml 中定义您使用的安全域。
  • 您不需要使用 [ digestCallback ] 选项模块。
  • 注意 web.xml 中定义的角色和 General 中的安全约束。

我希望这对你有帮助。

于 2013-03-04T13:07:42.413 回答