Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-2930

Form Authentication problem with jboss

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Major
    • None
    • JBossAS-4.0.3 SP1, JBossAS-3.2.8 Final, JBossAS-3.2.8.SP1
    • Web (Tomcat) service
    • None

    Description

      My WAR is configured to use FORM auth method.

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name></realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/LoginErrorPage.jsp</form-error-page>
      </form-login-config>
      </login-config>

      i have also a security constraint:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>all</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <url-pattern>/index.html</url-pattern>
      <auth-constraint>
      <role-name>everyone</role-name>
      </auth-constraint>
      </security-constraint>

      So when a user try to connect to every JSP or index.html the login form is open. and this works fine.

      The problem occurs when credential is not valid.
      The Web container must call the form-error-page so in my case LoginErrorPage.jsp.
      But seem that web container check apply thesecurity contraint and so call again the form-login-page (login.jsp).

      i try also to add the run-as role for login jsps.

      <servlet-name>login</servlet-name>
      <display-name>Login</display-name>
      Login
      <jsp-file>/login.jsp</jsp-file>
      <run-as>
      <role-name>everyone</role-name>
      </run-as>

      <servlet-name>loginError</servlet-name>
      <display-name>Login Error</display-name>
      Login Error
      <jsp-file>/LoginErrorPage.jsp</jsp-file>
      <run-as>
      <role-name>everyone</role-name>
      </run-as>

      <servlet-mapping>
      <servlet-name>login</servlet-name>
      <url-pattern>/login.jsp</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
      <servlet-name>loginError</servlet-name>
      <url-pattern>/LoginErrorPage.jsp</url-pattern>
      </servlet-mapping>

      the role everyone is well declared...

      Any idea?
      or it's a bug?

      I think it's a bug because in every case the LoginErrorPage.jsp must run as the role name "everyone" and also because under WebSphere the same configuration works fine.

      Maybe someone can reply that the problem is that i have added a security constraint to my LoginErrorPage.jsp page. So the container is behaving exactly as i have asked it to. So If i do not want my LoginErrorPage.jsp covered by this constraint then i should remove it. But... the same is for the Login.jsp... i put ALL jsp under security contraint...

      Thank You

      Attachments

        Activity

          People

            Unassigned Unassigned
            roberto_jira roberto roberto (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: