geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: Problem deploying web applications that have security-constraints in web.xml but use no authentication and security roles
Date Sun, 06 Aug 2006 09:32:28 GMT
On 8/6/06, David Jencks <david_jencks@yahoo.com> wrote:
>
>
> On Aug 5, 2006, at 11:09 PM, Vamsavardhana Reddy wrote:
>
> > Hi,
> >
> > I have a web application that has the following security-constraint
> > in the web.xml
> >
> >    <security-constraint>
> >      <web-resource-collection>
> >        <web-resource-name>Secure</web-resource-name>
> >        <url-pattern>/secure/AuthorizationServlet</url-pattern>
> >      </web-resource-collection>
> >      <user-data-constraint>
> >        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> >    </security-constraint>
> >
> > My application does not use any security roles and does not
> > authenticate against any security realm.  All this security-
> > constraint does is that the requests are forwarded to HTTPS port
> > (enabled for ClientAuth) and the application uses Client
> > Certifcates for authorization.  In G1.0, I could deploy this
> > application without using a geronimo-web.xml and the application
> > runs fine.
> >
> > G1.1 does not allow me to deploy this application without a
> > deployment plan.  Even with a deployment plan, G1.1 comes back with
> > errors that there are no security elements in the deployment plan.
> > The following messages are displayed in the console.
> >
> > Deployer operation failed: web.xml for web app tutorial/cert-auth-
> > sample/1.0/war
> >  includes security elements but Geronimo deployment plan is not
> > provided or does
> >  not contain <security-realm-name> element necessary to configure
> > security accor
> > dingly.
> > org.apache.geronimo.common.DeploymentException: web.xml for web app
> > tutorial/cer
> > t-auth-sample/1.0/war includes security elements but Geronimo
> > deployment plan is
> >  not provided or does not contain <security-realm-name> element
> > necessary to con
> > figure security accordingly.
> >
> > Clearly, I can not put any security-realm-name and role-mapping
> > elements in geronimo-web.xml .  If I put a security-realm-name tag
> > and/or role-mappings to get past the deployment, access to the
> > resource will be denied since I have not put any auth-constraint
> > tags web.xml
>
> Did you check this?  I'd expect that everything would work as
> expected if you supply a security-realm-name and that you will be
> able to access pages without logging in.


Specifying a security-realm-name and no security tag gave the following
error:

Deployer operation failed: You have specified a <security-realm-name> for
the we
bapp
tutorial/cert-auth-sample/1.0/war?J2EEApplication=null,j2eeType=WebModule,n
ame=tutorial/cert-auth-sample/1.0/war but no <security> configuration (role
mapp
ing) is supplied in the Geronimo plan for the web application (or the
Geronimo p
lan for the EAR if the web app is in an EAR)

Specifying a security-realm-name and a security tag with just a
default-principal entry did get the app deployed successfully.  And the app
did work as expected.


>
> > Any suggestions on how to get past this problem?  Or is this a bug
> > in G1.1?
>
> I have to regard it as a bug in G1.1, although if supplying a
> security-realm-name works its a fairly minor bug.  I'm very curious
> about whether G1.0 actually enforced the CONFIDENTIAL user-data-
> constraint: my guess is that it did not.


I have used the app in question on G1.0 (or a derived product).  When a
resource with CONFIDENTIAL user-data-constraint set is accessed over http,
the server did redirect to an HTTPS port (with tomcat, this redirection is
successful only if HTTPS is on port 443 and jetty had no problems
redirecting to any port configured in the connector).

thanks
> david jencks
>
> >
> > Thanks and regards,
> > Vamsi
>
>

Mime
View raw message