I've been working on a sample Jersey program to familiarize myself with Java web services, and now I would like to add a security layer to it (server - Glassfish, IDE - IntelliJ). Thus far I have implemented a FORM based login system which is supposed to reference an existing Sybase database. The problem is that it doesn't authenticate even if I put in the right credentials, and I don't know enough about authentication in general to troubleshoot it. Hopefully someone here can figure out where I went wrong. Here are the steps I took:
- Create a community pool and resource in the Glassfish admin console
- Create a JDBC Realm in the Glassfish admin console
- Modify the web.xml file to include a security constraint and a login configuration
- Create a login.xhtml page and a loginerror.xhtml page
As a side note, the database I am attempting to use is an existing Sybase database that has all sorts of information (not just usernames, but also emails, supervisors, phone extensions, etc). This database does not have an explicit password field, but I am trying to use one of the existing fields (namely one called supervisorEmail) to act as a password field. Therefore, a user can get authenticated with his own email and his supervisor's email.
My first question is: where do I specify what columns to use as the username/password in the database? I thought I would do this in the JdbcRealm definition, but perhaps I am wrong about this. Here is what I have in those fields:
JAAS Context: jdbcRealm
JNDI: jdbc/__AuthDB (the resource I created earlier)
User Table: EmployeeList (the name of the table in the database)
User Name Column: email
Password Column: supervisorEmail
Group Table: Groups (no idea what to put here)
Group Name Column: Name (no idea what to put here)
Password Encryption Algorithm: AES
This would lead to my second question, which is "do I need a group database if all users get the same privileges"? I currently do not have one.
Finally, here are any xml/html files that could be of use for troubleshooting. Sorry for the long post, I wanted to be as specific as possible.
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<!--<deny-uncovered-http-methods/>-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JdbcRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/loginerror.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
</web-app>
login.xhtml:
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:p="http://primefaces.org/ui">
<body>
<p:panel header="Login From">
<form method="POST" action="j_security_check">
Username: <input type="text" name="j_username"/>
Password: <input type="password" name="j_password"/>
<input type="submit" value="Login" />
<input type="reset" value="Reset" />
</form>
</p:panel>
</body>
If you've made it this far, thank you for reading. Any help is greatly appreciated.
I figured it out. When you're using a jdbc realm within Glassfish you have to have two separate databases: one that has a list of users/passwords, and one that has a list of users (same ones as the previous database) & what group they belong to. Glassfish will NOT authenticate you if you aren't using groups, even if you want everyone to have the same privileges.