tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "andcerve@libero.it" <andce...@libero.it>
Subject security with database login module
Date Fri, 25 Jan 2002 13:22:06 GMT
Hi I've a security problem in my web app.
        I'm using Jboss2.4.3 Tomcat4.0

        When a user, for exemple with username 'vincini' connects to a 
        protected area sometimes the login fails because you can see th
HTTP-
        403 error message.
        I said sometimes because I can't understand why but other times
the 
        login is successful!
        The strange thing is that if the login fails and he tries to
connect 
        again the login goes well!!

        Anyway, 
        I think my problem is not in the authentication, but in role
mapping, 
        cause I 
        got the printing: [Default] User 'vincini' authenticated  (but
the user 
        gets 
        the HTTP-403!)

        I use the DatabaseServerLoginModule and this is the entry in my 
        $jboss_home/conf/catalina/auth.conf:

        modulojdbc {

           org.jboss.security.auth.spi.DatabaseServerLoginModule
required
           
           dsJndiName="java:/SQLServerPool"
           
           principalsQuery="SELECT Password FROM PRINCIPALS WHERE
principalid=?"
           
           rolesQuery="SELECT Role, RoleGroup FROM ROLES WHERE
principalid=?";
           
        };

        I have the following 2 tables in my database :

        PRINCIPALS(principalid, password)
        pk: principalid

        ROLES(principalid, role, rolegroup)
        pk: principalid,role
        fk: principalid references PRINCIPALS

        I have inserted some rows:

        PRINCIPALS: ('vincini','vincini')
                    ('guest','guest')
        ROLES: ('vincini','docente','Roles')
               ('guest','studente','Roles')
               
        I also have a method in my EJB that invokes isCallerInRole
        ("DOCENTE") and 
        getCallerPrincipal().getName()
        So I've included these lines in the ejb-jar.xml:

        <session>
                 <ejb-name>MatDidEJB</ejb-name>
                 <home>ejb.MatDid.MatDidHome</home>
                 <remote>ejb.MatDid.MatDidEJB</remote>
                 <ejb-class>ejb.MatDid.MatDidBean</ejb-class>
                 <session-type>Stateful</session-type>
                 <transaction-type>Container</transaction-type>
                 <security-role-ref>
                     <role-name>STUDENTE</role-name>
                     <role-link>studente</role-link>
                 </security-role-ref>
                 <security-role-ref>
                     <role-name>DOCENTE</role-name>
                     <role-link>docente</role-link>
                 </security-role-ref>
        </session>

        Should I add a row in the ROLES table like this:

        ('vincini','DOCENTE','CallerPrincipal')  ?

        If I add it, the user "vincini" gets an error cause the 
        getCallerPrincipal().getName() returns the String "DOCENTE"
instead of 
        "vincini"!!!

        When should the rolegroup "CallerPrincipal" be used? 

        How can I solve this problem? Any idea?

        PLEASE HELP!

        Thanks
Mime
View raw message