tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "andcerve@libero.it" <andce...@libero.it>
Subject Jboss Tomcat login problem
Date Thu, 24 Jan 2002 18:46:18 GMT
Hi I've a security problem in my web app.
I'm using Jboss2.4.3 Tomcat4.0

When a user, for exemple with username 'vincini' connects to a 
protected area sometimes the login fails because you can see th HTTP-
403 error message.
I said sometimes because I can't understand why but other times the 
login is successful!
The strange thing is that if the login fails and he tries to connect 
again the login goes well!!

Anyway, 
I think my problem is not in the authentication, but in role mapping, 
cause I 
got the printing: [Default] User 'vincini' authenticated  (but the user 
gets 
the HTTP-403!)

I use the DatabaseServerLoginModule and this is the entry in my 
$jboss_home/conf/catalina/auth.conf:

modulojdbc {

   org.jboss.security.auth.spi.DatabaseServerLoginModule required
   
   dsJndiName="java:/SQLServerPool"
   
   principalsQuery="SELECT Password FROM PRINCIPALS WHERE principalid=?"
   
   rolesQuery="SELECT Role, RoleGroup FROM ROLES WHERE principalid=?";
   
};

I have the following 2 tables in my database :

PRINCIPALS(principalid, password)
pk: principalid

ROLES(principalid, role, rolegroup)
pk: principalid,role
fk: principalid references PRINCIPALS

I have inserted some rows:

PRINCIPALS: ('vincini','vincini')
            ('guest','guest')
ROLES: ('vincini','docente','Roles')
       ('guest','studente','Roles')
       
I also have a method in my EJB that invokes isCallerInRole
("DOCENTE") and 
getCallerPrincipal().getName()
So I've included these lines in the ejb-jar.xml:

<session>
         <ejb-name>MatDidEJB</ejb-name>
         <home>ejb.MatDid.MatDidHome</home>
         <remote>ejb.MatDid.MatDidEJB</remote>
         <ejb-class>ejb.MatDid.MatDidBean</ejb-class>
         <session-type>Stateful</session-type>
         <transaction-type>Container</transaction-type>
         <security-role-ref>
             <role-name>STUDENTE</role-name>
             <role-link>studente</role-link>
         </security-role-ref>
         <security-role-ref>
             <role-name>DOCENTE</role-name>
             <role-link>docente</role-link>
         </security-role-ref>
</session>

Should I add a row in the ROLES table like this:

('vincini','DOCENTE','CallerPrincipal')  ?

If I add it, the user "vincini" gets an error cause the 
getCallerPrincipal().getName() returns the String "DOCENTE" instead of 
"vincini"!!!

When should the rolegroup "CallerPrincipal" be used? 

How can I solve this problem? Any idea?

PLEASE HELP!

Thanks
Mime
View raw message