geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jérôme GODARD (JIRA) <j...@apache.org>
Subject [jira] Commented: (GERONIMO-1585) Web app security on /* causes deployment exception
Date Fri, 10 Nov 2006 16:20:37 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1585?page=comments#action_12448789 ] 
            
Jérôme GODARD commented on GERONIMO-1585:
-----------------------------------------

I modify the geronimo-security-1.1.1.jar file with the security.patch to use the "/*" to secure
all pages of my JSF application, but I also want to let the login page (with the resources
it used like jpg, css etc) be accessible by everybody (unauthentified). With Websphere 6,
I use the J2EE role EveryBody to do that :

Extract of my web.xml :

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>AllURI</web-resource-name>
			<description>Represent all the application URI</description>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<description />
			<role-name>User</role-name>
			<role-name>Admin</role-name>
			<role-name>Support</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Login</web-resource-name>
			<description>The login page resource</description>
			<url-pattern>/login/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>	
		<auth-constraint>
			<description />
			<role-name>EveryBody</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	<security-constraint>
		<display-name>Constraints PUBLIC</display-name>
		<web-resource-collection>
			<web-resource-name>Theme Resources</web-resource-name>
			<description />
			<url-pattern>/templates/*</url-pattern>
			<url-pattern>/index.jsp</url-pattern>
			<url-pattern>/jscookmenu/*</url-pattern>
			<url-pattern>/</url-pattern>
			<http-method>GET</http-method>
		</web-resource-collection>
		<web-resource-collection>
			<web-resource-name>Public Area</web-resource-name>
			<description>allows acces under /public/</description>
			<url-pattern>/public/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<description />
			<role-name>EveryBody</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

When I deploy it on geronimo, I use the following geronimo-web.xml file :

  <security-realm-name>app-dev-ldap-realm</security-realm-name>
  <sec:security>
    <sec:default-principal realm-name="app-dev-ldap-realm">
		<sec:principal name="anonymous"
      				 class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
    </sec:default-principal>
    <sec:role-mappings>
    
    	<sec:role role-name="User">
    		<sec:realm realm-name="app-dev-ldap-realm">
        		<sec:principal name="GP-ZONE3-AXE-USER"
        			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true"
/>
        	</sec:realm>
    		<sec:realm realm-name="app-dev-ldap-realm">
        		<sec:principal name="GP-ZONE3-AXE-MANAGER"
        			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
        	</sec:realm>
      	</sec:role>
      	<sec:role role-name="Support">
    		<sec:realm realm-name="app-dev-ldap-realm">
        		<sec:principal name="GP-ZONE3-AXE-MANAGER"
        			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
        	</sec:realm>
      	</sec:role>
      	<sec:role role-name="Admin">
    		<sec:realm realm-name="app-dev-ldap-realm">
        		<sec:principal name="GP-ZONE3-AXE-MANAGER"
        			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
        	</sec:realm>
      	</sec:role>
      	      	<sec:role role-name="EveryBody">
    		<sec:realm realm-name="app-dev-ldap-realm">
        		<sec:principal name="anonymous"
        			class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
        	</sec:realm>
      	</sec:role>
    </sec:role-mappings>
  </sec:security>

I declare an anonymous user that I map to the EveryBody J2EE role (declared in web.xml). But
when I deploy, login ressources and public pages still not be accessible by Everybody (ie
: unauthentified user).



> Web app security on /* causes deployment exception
> --------------------------------------------------
>
>                 Key: GERONIMO-1585
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-1585
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web, security
>    Affects Versions: 1.1
>         Environment: Geronimo 1.0 with Jetty and tomcat
>            Reporter: Aaron Mulder
>            Priority: Critical
>             Fix For: 1.1.x
>
>         Attachments: security.patch
>
>
> Deploying a web app with the following security block causes a deployment error:
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>All Pages</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>User</role-name>
>         </auth-constraint>
>     </security-constraint>
> Note this is essentially right out of the spec (see SRV.12.8.2 in the Servlet 2.4 spec).
> The error is:
>     org.apache.geronimo.common.DeploymentException: Unable to initialize webapp GBean
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:842)
>         ...
>     Caused by: java.lang.IllegalArgumentException: Qualifier patterns in the URLPatternSpec
cannot match the first URLPattern
>         at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:54)
>         at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:54)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.buildSpecSecurityConfig(JettyModuleBuilder.java:1215)
>         at org.apache.geronimo.jetty.deployment.JettyModuleBuilder.addGBeans(JettyModuleBuilder.java:821)
>         ... 70 more
> Changing the url-pattern to / fixes the problem, but it seems to me that /* ought to
work too.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message