TomEE, JAAS, SQLLoginModule and 403

Question

I have added the SQLLoginModule to my deployment (TomEE 1.5.1):

1. system property that points to the login.config
2. login.config configured to use SQLLogin realm
3. server.xml updated to use this realm

Here's the web.xml (I'm almost sure the problem is here)

<security-constraint>
    <display-name>Unsecured</display-name>
    <web-resource-collection>
        <web-resource-name>Unsecured area</web-resource-name>
        <url-pattern>/login.html</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>*.html</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN</role-name>
        <role-name>SUPERUSER</role-name>
        <role-name>USER</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-role>
    <role-name>ADMIN</role-name>
</security-role>
<security-role>
    <role-name>SUPERUSER</role-name>
</security-role>
<security-role>
    <role-name>USER</role-name>
</security-role>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>SQLLogin</realm-name>
    <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/login.html</form-error-page>
    </form-login-config>
</login-config>

<welcome-file-list>
    <welcome-file>testRest.html</welcome-file>
</welcome-file-list>

Deploying and logging-in, I even remote debugged org.apache.openejb.core.security.jaas.SQLLoginModule with no exceptions, but for some reason the redirection to the welcome-file fails and I get a 403 access-denied error.

Any thoughts?

Answer 1

So, here the solution after my personal "via dolorosa" :)
First, the error was in the server.xml JAASRealm configuration.
Using the instruction at http://tomee.apache.org/tomee-jaas.html I used

userClassNames="org.apache.openejb.core.security.AbstractSecurityService$User"
roleClassNames="org.apache.openejb.core.security.AbstractSecurityService$Group"

After downloading tomcat sources and some debugging I found out that the actual generated Principals by org.apache.openejb.core.security.jaas.SQLLoginModule are:

userClassNames="org.apache.openejb.core.security.jaas.UserPrincipal"
roleClassNames="org.apache.openejb.core.security.jaas.GroupPrincipal"

That solved the problem.