Return-Path: 
 <dev-return-35326-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 43035 invoked from network); 6 Aug 2006 07:31:05 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 6 Aug 2006 07:31:05 -0000
Received: (qmail 27832 invoked by uid 500); 6 Aug 2006 07:31:03 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 27692 invoked by uid 500); 6 Aug 2006 07:31:02 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
List-Post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <dev.geronimo.apache.org>
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 27681 invoked by uid 99); 6 Aug 2006 07:31:02 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 Aug 2006 00:31:02 -0700
X-ASF-Spam-Status: No, hits=2.8 required=10.0
	tests=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [68.142.206.242] (HELO smtp109.plus.mail.mud.yahoo.com)
 (68.142.206.242)
    by apache.org (qpsmtpd/0.29) with SMTP; Sun, 06 Aug 2006 00:30:52 -0700
Received: (qmail 57899 invoked from network); 6 Aug 2006 07:30:25 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Received:Mime-Version:In-Reply-To:References:Content-Type:Message-Id:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer;
  b=z9JvpQBwCAD0FepEmSCgLDushTYzJknP4X5AK35Iqh1sagcCHDQy9oumwd4/R4MaYhEJVJ5hx3XBK8W2QcMyRWP4lUMPCgqtLlJGIFKhm5s+lZpXxfILWg8xoL8yRiMb3WEMRaiAlMJFKKAZZFqAYwvnGCUzB2Pi6jnx1Tj42GI=
  ;
Received: from unknown (HELO ?10.11.55.8?) (david?jencks@63.105.20.225 with
 plain)
  by smtp109.plus.mail.mud.yahoo.com with SMTP; 6 Aug 2006 07:30:25 -0000
Mime-Version: 1.0 (Apple Message framework v749.3)
In-Reply-To: <22d56c4d0608052309l5bd5c0d9l257807a7907cf300@mail.gmail.com>
References: <22d56c4d0608052309l5bd5c0d9l257807a7907cf300@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <BFA597A2-90D0-4D3E-8F5A-6F2C3E2F3F3E@yahoo.com>
Content-Transfer-Encoding: 7bit
From: David Jencks <david_jencks@yahoo.com>
Subject: Re: Problem deploying web applications that have security-constraints
 in web.xml but use no authentication and security roles
Date: Sun, 6 Aug 2006 00:30:20 -0700
To: dev@geronimo.apache.org
X-Mailer: Apple Mail (2.749.3)
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N


On Aug 5, 2006, at 11:09 PM, Vamsavardhana Reddy wrote:

> Hi,
>
> I have a web application that has the following security-constraint  
> in the web.xml
>
>    <security-constraint>
>      <web-resource-collection>
>        <web-resource-name>Secure</web-resource-name>
>        <url-pattern>/secure/AuthorizationServlet</url-pattern>
>      </web-resource-collection>
>      <user-data-constraint>
>        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>    </security-constraint>
>
> My application does not use any security roles and does not  
> authenticate against any security realm.  All this security- 
> constraint does is that the requests are forwarded to HTTPS port  
> (enabled for ClientAuth) and the application uses Client  
> Certifcates for authorization.  In G1.0, I could deploy this  
> application without using a geronimo-web.xml and the application  
> runs fine.
>
> G1.1 does not allow me to deploy this application without a  
> deployment plan.  Even with a deployment plan, G1.1 comes back with  
> errors that there are no security elements in the deployment plan.   
> The following messages are displayed in the console.
>
> Deployer operation failed: web.xml for web app tutorial/cert-auth- 
> sample/1.0/war
>  includes security elements but Geronimo deployment plan is not  
> provided or does
>  not contain <security-realm-name> element necessary to configure  
> security accor
> dingly.
> org.apache.geronimo.common.DeploymentException: web.xml for web app  
> tutorial/cer
> t-auth-sample/1.0/war includes security elements but Geronimo  
> deployment plan is
>  not provided or does not contain <security-realm-name> element  
> necessary to con
> figure security accordingly.
>
> Clearly, I can not put any security-realm-name and role-mapping  
> elements in geronimo-web.xml .  If I put a security-realm-name tag  
> and/or role-mappings to get past the deployment, access to the  
> resource will be denied since I have not put any auth-constraint  
> tags web.xml

Did you check this?  I'd expect that everything would work as  
expected if you supply a security-realm-name and that you will be  
able to access pages without logging in.
>
> Any suggestions on how to get past this problem?  Or is this a bug  
> in G1.1?

I have to regard it as a bug in G1.1, although if supplying a  
security-realm-name works its a fairly minor bug.  I'm very curious  
about whether G1.0 actually enforced the CONFIDENTIAL user-data- 
constraint: my guess is that it did not.

thanks
david jencks

>
> Thanks and regards,
> Vamsi