[ http://issues.apache.org/jira/browse/GERONIMO-2564?page=comments#action_12450436 ] Jérôme GODARD commented on GERONIMO-2564: ----------------------------------------- Yes I use geronimo 1.1.1,to develop, my target is little-g 1.1.1. I provide in attachment my last version of geronimo-web.xml. It is conform to the schemas/geronimo-security-1.1.xsd, I used the eclipse plugin devtool (http://geronimo.apache.org/devtools.html) to create it. I thought that using the tag , I could map unauthentified users to a J2EE role (like the EveryBody role in Websphere). I saw in the following documentation : http://www.chariotsolutions.com/geronimo/geronimo-1.1/geronimo-html-one-page.html#figure-web-security-principal : "default-principal : Holds a principal which will be used any time an unauthenticated user accesses an unsecured page.... " I saw also that "default-role : This attribute is not applicable to web applications." But if I connect on an unsecured page without being connected, the method "isUserInRole()" in my jsp doesn't return anything. Thanks for your help. > Declaration of an anonymous role in geronimo-web.xml > ---------------------------------------------------- > > Key: GERONIMO-2564 > URL: http://issues.apache.org/jira/browse/GERONIMO-2564 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 1.1.1 > Environment: Windows XP / Novell LDAP > Reporter: Jérôme GODARD > Priority: Critical > > I want to automate the migration of a JSF WAS6 application to Geronimo. > I try to defined a anonymous role like the J2EE role "EveryBody" in Websphere Application Server 6. > My policy is to secure all the application (all jsp files of my web folder) except the jsp in the subfolders "public" and "login" (since defining a security constraint on /* doesn't work, I declare a security rules on *.faces). > To do that, I first defined my security constraints in web.xml : > I use 4 roles : User, Support, Admin and Everybody > > > AllURI > Represent all the application URI > *.faces > /faces/* > *.jsp > *.jsf > > > > User > Admin > Support > > > NONE > > > > > Login > The login page resource > /login/* > GET > POST > > > > EveryBody > > > CONFIDENTIAL > > > > Constraints PUBLIC > > Theme Resources > > /templates/* > /index.jsp > /jscookmenu/* > / > GET > > > Public Area > allows acces under /public/ > /public/* > GET > POST > > > > EveryBody > > > NONE > > > > > FORM > > /login/login.jsp > /login/loginError.jsp > > > When I deploy it on geronimo, I use the following geronimo-web.xml file : > app-dev-ldap-realm > > > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> > > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true" /> > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> > > > > > I declare an anonymous user that I map to the EveryBody J2EE role (declared in web.xml). But when I deploy, login ressources and public pages still not be accessible by Everybody (ie : unauthentified user). > It seems that the rule do not affect the anonymous role to an unauthentified user like it should do. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira