TomEE, JAAS, SQLLoginModule and 403

StackOverflow https://stackoverflow.com/questions/16463950

Question

I have added the SQLLoginModule to my deployment (TomEE 1.5.1):

  1. system property that points to the login.config
  2. login.config configured to use SQLLogin realm
  3. server.xml updated to use this realm

Here's the web.xml (I'm almost sure the problem is here)

<security-constraint>
    <display-name>Unsecured</display-name>
    <web-resource-collection>
        <web-resource-name>Unsecured area</web-resource-name>
        <url-pattern>/login.html</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>*.html</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN</role-name>
        <role-name>SUPERUSER</role-name>
        <role-name>USER</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-role>
    <role-name>ADMIN</role-name>
</security-role>
<security-role>
    <role-name>SUPERUSER</role-name>
</security-role>
<security-role>
    <role-name>USER</role-name>
</security-role>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>SQLLogin</realm-name>
    <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/login.html</form-error-page>
    </form-login-config>
</login-config>

<welcome-file-list>
    <welcome-file>testRest.html</welcome-file>
</welcome-file-list>

Deploying and logging-in, I even remote debugged org.apache.openejb.core.security.jaas.SQLLoginModule with no exceptions, but for some reason the redirection to the welcome-file fails and I get a 403 access-denied error.

Any thoughts?

Was it helpful?

Solution

So, here the solution after my personal "via dolorosa" :)
First, the error was in the server.xml JAASRealm configuration.
Using the instruction at http://tomee.apache.org/tomee-jaas.html I used 

userClassNames="org.apache.openejb.core.security.AbstractSecurityService$User"
roleClassNames="org.apache.openejb.core.security.AbstractSecurityService$Group"

After downloading tomcat sources and some debugging I found out that the actual generated Principals by org.apache.openejb.core.security.jaas.SQLLoginModule are:

userClassNames="org.apache.openejb.core.security.jaas.UserPrincipal"
roleClassNames="org.apache.openejb.core.security.jaas.GroupPrincipal"

That solved the problem.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top