golgoth golgoth - 4 months ago 14
SQL Question

Jetty JDBCLoginService role based access not working

This is a follow up from this post: Jetty JDBCLoginService using null in mysql request where you can find the realm configuration.

I'm using jetty JDBCLoginService to do the authorization in my app,
i have, of course, value in my database.
the authorization part of my web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>
Areas with authentication required
</web-resource-name>
<url-pattern> /protected/* </url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee> NONE </transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>gateway_jndi</realm-name>
<form-login-config>
<form-login-page>/public/login.jsf</form-login-page>
<form-error-page>/public/login.jsf</form-error-page>
</form-login-config>
</login-config>


the login part of my backingbean:

public void login() {
ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();
try {
Faces.login(getUsername(), getPassword());
FacesContext.getCurrentInstance().getExternalContext().redirect(request.getContextPath() + "/protected/statistiques.jsf");
}
catch (ServletException ex) {
FacesContext context = FacesContext.getCurrentInstance();
context.addMessage(
"formMsg",
new FacesMessage(
FacesMessage.SEVERITY_INFO,
messagesBundle.getString("main.gateway.title.error"),
messagesBundle.getString("main.gateway.common.controller.error.login")
)
);
} catch (IOException e) {
e.printStackTrace();
}
setPassword(null);
}


While using it i always get a 403 with !role in the console, if i use ** i can log into the app.

I am missing something in my backing bean or is the problem jetty related?

Answer

Ok so i was wissing the roles in my web.xml, eg:

<security-role>
  <role-name>administrator</role-name>
</security-role>

it seems:

<auth-constraint>
 <role-name>*</role-name>
</auth-constraint>

means any role kown to the app, not any role in the database.