I am trying to run a basic project with a servlet requiring a specific role.
In the standalone.xml configuration file I have added a datasource with a JDBC binding to a derby DB containing the table enabling for authentication and authorization defined in a specific security domain I have added in the same file
<datasource jndi-name="java:jboss/datasources/TestDS" pool-name="TestDS" enabled="true">
<connection-url>jdbc:derby://localhost:1527/JPADB</connection-url>
<driver-class>org.apache.derby.jdbc.ClientDriver</driver-class>
<driver>derbyclient.jar</driver>
<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
<pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>100</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name>user</user-name>
<password>passw0rd</password>
</security>
<statement>
<prepared-statement-cache-size>32</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</datasource>
...
<security-domains>
<security-domain name="testDomain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/TestDS"/>
<module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="hex"/>
<module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/>
</login-module>
</authentication>
<authorization>
<policy-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/school"/>
<module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="hex"/>
<module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/>
</policy-module>
</authorization>
</security-domain>
Now I have deployed a Dynamic Web Project and in the /WebContent/WEB-INF folder I have created a jboss-web.xml file
with this content
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>testDomain</security-domain>
</jboss-web>
and a web.xml file with this content
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>WebApp</display-name>
<welcome-file-list>
<welcome-file>/webappname/index.xhtml</welcome-file>
</welcome-file-list>
<!--Defining security constraint for type of roles available-->
<security-constraint>
<web-resource-collection>
<web-resource-name>administrator</web-resource-name>
<url-pattern>/webappname/MyServlet/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>school</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<!--Defining type of authenitcation mechanism-->
<!--Denining security role-->
<security-role>
<role-name>ADMINISTRATOR</role-name>
</security-role>
<security-role>
<role-name>USER</role-name>
</security-role>
<!--Denining security role-->
</web-app>
The Server starts without any error. The problem is that when I try to reach the servlet url http://127.0.0.1:8080/webappname/MyServlet the page is correctly rendered and no authentication is required.
