geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jérôme GODARD (JIRA) <j...@apache.org>
Subject [jira] Updated: (GERONIMO-2564) Declaration of an anonymous role in geronimo-web.xml
Date Thu, 16 Nov 2006 16:01:40 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-2564?page=all ]

Jérôme GODARD updated GERONIMO-2564:
------------------------------------

    Attachment: geronimo-web.xml

geronimo-web.xml

> Declaration of an anonymous role in geronimo-web.xml
> ----------------------------------------------------
>
>                 Key: GERONIMO-2564
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-2564
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 1.1.1
>         Environment: Windows XP / Novell LDAP
>            Reporter: Jérôme GODARD
>            Priority: Critical
>         Attachments: geronimo-web.xml
>
>
> I want to automate the migration of a JSF WAS6 application to Geronimo.
> I try to defined a anonymous role like the J2EE role "EveryBody" in Websphere Application
Server 6.
> My policy is to secure all the application (all jsp files of my web folder) except the
jsp in the subfolders "public" and "login" (since defining a security constraint on /* doesn't
work, I declare a security rules on *.faces).
> To do that, I first defined my security constraints in web.xml :
> I use 4 roles : User, Support, Admin and Everybody
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>AllURI</web-resource-name>
> 			<description>Represent all the application URI</description>
> 			<url-pattern>*.faces</url-pattern>
> 			<url-pattern>/faces/*</url-pattern>
> 			<url-pattern>*.jsp</url-pattern>
> 			<url-pattern>*.jsf</url-pattern>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<description />
> 			<role-name>User</role-name>
> 			<role-name>Admin</role-name>
> 			<role-name>Support</role-name>
> 		</auth-constraint>
> 		<user-data-constraint>
> 			<transport-guarantee>NONE</transport-guarantee>
> 		</user-data-constraint>
> 	</security-constraint>
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>Login</web-resource-name>
> 			<description>The login page resource</description>
> 			<url-pattern>/login/*</url-pattern>
> 			<http-method>GET</http-method>
> 			<http-method>POST</http-method>
> 		</web-resource-collection>	
> 		<auth-constraint>
> 			<description />
> 			<role-name>EveryBody</role-name>
> 		</auth-constraint>
> 		<user-data-constraint>
> 			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> 		</user-data-constraint>
> 	</security-constraint>
> 	<security-constraint>
> 		<display-name>Constraints PUBLIC</display-name>
> 		<web-resource-collection>
> 			<web-resource-name>Theme Resources</web-resource-name>
> 			<description />
> 			<url-pattern>/templates/*</url-pattern>
> 			<url-pattern>/index.jsp</url-pattern>
> 			<url-pattern>/jscookmenu/*</url-pattern>
> 			<url-pattern>/</url-pattern>
> 			<http-method>GET</http-method>
> 		</web-resource-collection>
> 		<web-resource-collection>
> 			<web-resource-name>Public Area</web-resource-name>
> 			<description>allows acces under /public/</description>
> 			<url-pattern>/public/*</url-pattern>
> 			<http-method>GET</http-method>
> 			<http-method>POST</http-method>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<description />
> 			<role-name>EveryBody</role-name>
> 		</auth-constraint>
> 		<user-data-constraint>
> 			<transport-guarantee>NONE</transport-guarantee>
> 		</user-data-constraint>
> 	</security-constraint>
> 	<!-- Define the Login Configuration for the service provider -->
> 	<login-config>
> 		<auth-method>FORM</auth-method>
> 		<form-login-config>
> 			<form-login-page>/login/login.jsp</form-login-page>
> 			<form-error-page>/login/loginError.jsp</form-error-page>
> 		</form-login-config>
> 	</login-config>
> When I deploy it on geronimo, I use the following geronimo-web.xml file :
>   <security-realm-name>app-dev-ldap-realm</security-realm-name>
>   <sec:security>
>     <sec:default-principal realm-name="app-dev-ldap-realm">
> 		<sec:principal name="anonymous"
>       				 class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
>     </sec:default-principal>
>     <sec:role-mappings>
>     
>     	<sec:role role-name="User">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-USER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
designated-run-as="true" />
>         	</sec:realm>
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-MANAGER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>       	<sec:role role-name="Support">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-MANAGER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>       	<sec:role role-name="Admin">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-MANAGER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>       	      	<sec:role role-name="EveryBody">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="anonymous"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>     </sec:role-mappings>
>   </sec:security>
> I declare an anonymous user that I map to the EveryBody J2EE role (declared in web.xml).
But when I deploy, login ressources and public pages still not be accessible by Everybody
(ie : unauthentified user).
> It seems that the <default-principal/> rule do not affect the anonymous role to
an unauthentified user like it should do.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message