Return-Path: 
 <dev-return-41415-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 51492 invoked from network); 16 Nov 2006 16:02:05 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 16 Nov 2006 16:02:04 -0000
Received: (qmail 71867 invoked by uid 500); 16 Nov 2006 16:02:12 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 71819 invoked by uid 500); 16 Nov 2006 16:02:12 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
List-Post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <dev.geronimo.apache.org>
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 71798 invoked by uid 99); 16 Nov 2006 16:02:11 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Nov 2006 08:02:11 -0800
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Nov 2006 08:02:00 -0800
Received: from brutus (localhost [127.0.0.1])
	by brutus.apache.org (Postfix) with ESMTP id 1B56371431A
	for <dev@geronimo.apache.org>; Thu, 16 Nov 2006 08:01:40 -0800 (PST)
Message-ID: <28468057.1163692900109.JavaMail.jira@brutus>
Date: Thu, 16 Nov 2006 08:01:40 -0800 (PST)
From: =?utf-8?Q?J=C3=A9r=C3=B4me_GODARD_=28JIRA=29?= <jira@apache.org>
To: dev@geronimo.apache.org
Subject: [jira] Updated: (GERONIMO-2564) Declaration of an anonymous role in
 geronimo-web.xml
In-Reply-To: <20379166.1163513438984.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

     [ http://issues.apache.org/jira/browse/GERONIMO-2564?page=3Dall ]

J=C3=A9r=C3=B4me GODARD updated GERONIMO-2564:
------------------------------------

    Attachment: geronimo-web.xml

geronimo-web.xml

> Declaration of an anonymous role in geronimo-web.xml
> ----------------------------------------------------
>
>                 Key: GERONIMO-2564
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-2564
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues)=20
>          Components: security
>    Affects Versions: 1.1.1
>         Environment: Windows XP / Novell LDAP
>            Reporter: J=C3=A9r=C3=B4me GODARD
>            Priority: Critical
>         Attachments: geronimo-web.xml
>
>
> I want to automate the migration of a JSF WAS6 application to Geronimo.
> I try to defined a anonymous role like the J2EE role "EveryBody" in Websp=
here Application Server 6.
> My policy is to secure all the application (all jsp files of my web folde=
r) except the jsp in the subfolders "public" and "login" (since defining a =
security constraint on /* doesn't work, I declare a security rules on *.fac=
es).
> To do that, I first defined my security constraints in web.xml :
> I use 4 roles : User, Support, Admin and Everybody
> =09<security-constraint>
> =09=09<web-resource-collection>
> =09=09=09<web-resource-name>AllURI</web-resource-name>
> =09=09=09<description>Represent all the application URI</description>
> =09=09=09<url-pattern>*.faces</url-pattern>
> =09=09=09<url-pattern>/faces/*</url-pattern>
> =09=09=09<url-pattern>*.jsp</url-pattern>
> =09=09=09<url-pattern>*.jsf</url-pattern>
> =09=09</web-resource-collection>
> =09=09<auth-constraint>
> =09=09=09<description />
> =09=09=09<role-name>User</role-name>
> =09=09=09<role-name>Admin</role-name>
> =09=09=09<role-name>Support</role-name>
> =09=09</auth-constraint>
> =09=09<user-data-constraint>
> =09=09=09<transport-guarantee>NONE</transport-guarantee>
> =09=09</user-data-constraint>
> =09</security-constraint>
> =09<security-constraint>
> =09=09<web-resource-collection>
> =09=09=09<web-resource-name>Login</web-resource-name>
> =09=09=09<description>The login page resource</description>
> =09=09=09<url-pattern>/login/*</url-pattern>
> =09=09=09<http-method>GET</http-method>
> =09=09=09<http-method>POST</http-method>
> =09=09</web-resource-collection>=09
> =09=09<auth-constraint>
> =09=09=09<description />
> =09=09=09<role-name>EveryBody</role-name>
> =09=09</auth-constraint>
> =09=09<user-data-constraint>
> =09=09=09<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> =09=09</user-data-constraint>
> =09</security-constraint>
> =09<security-constraint>
> =09=09<display-name>Constraints PUBLIC</display-name>
> =09=09<web-resource-collection>
> =09=09=09<web-resource-name>Theme Resources</web-resource-name>
> =09=09=09<description />
> =09=09=09<url-pattern>/templates/*</url-pattern>
> =09=09=09<url-pattern>/index.jsp</url-pattern>
> =09=09=09<url-pattern>/jscookmenu/*</url-pattern>
> =09=09=09<url-pattern>/</url-pattern>
> =09=09=09<http-method>GET</http-method>
> =09=09</web-resource-collection>
> =09=09<web-resource-collection>
> =09=09=09<web-resource-name>Public Area</web-resource-name>
> =09=09=09<description>allows acces under /public/</description>
> =09=09=09<url-pattern>/public/*</url-pattern>
> =09=09=09<http-method>GET</http-method>
> =09=09=09<http-method>POST</http-method>
> =09=09</web-resource-collection>
> =09=09<auth-constraint>
> =09=09=09<description />
> =09=09=09<role-name>EveryBody</role-name>
> =09=09</auth-constraint>
> =09=09<user-data-constraint>
> =09=09=09<transport-guarantee>NONE</transport-guarantee>
> =09=09</user-data-constraint>
> =09</security-constraint>
> =09<!-- Define the Login Configuration for the service provider -->
> =09<login-config>
> =09=09<auth-method>FORM</auth-method>
> =09=09<form-login-config>
> =09=09=09<form-login-page>/login/login.jsp</form-login-page>
> =09=09=09<form-error-page>/login/loginError.jsp</form-error-page>
> =09=09</form-login-config>
> =09</login-config>
> When I deploy it on geronimo, I use the following geronimo-web.xml file :
>   <security-realm-name>app-dev-ldap-realm</security-realm-name>
>   <sec:security>
>     <sec:default-principal realm-name=3D"app-dev-ldap-realm">
> =09=09<sec:principal name=3D"anonymous"
>       =09=09=09=09 class=3D"org.apache.geronimo.security.realm.providers.=
GeronimoUserPrincipal" />
>     </sec:default-principal>
>     <sec:role-mappings>
>    =20
>     =09<sec:role role-name=3D"User">
>     =09=09<sec:realm realm-name=3D"app-dev-ldap-realm">
>         =09=09<sec:principal name=3D"GP-ZONE3-AXE-USER"
>         =09=09=09class=3D"org.apache.geronimo.security.realm.providers.Ge=
ronimoGroupPrincipal" designated-run-as=3D"true" />
>         =09</sec:realm>
>     =09=09<sec:realm realm-name=3D"app-dev-ldap-realm">
>         =09=09<sec:principal name=3D"GP-ZONE3-AXE-MANAGER"
>         =09=09=09class=3D"org.apache.geronimo.security.realm.providers.Ge=
ronimoGroupPrincipal" />
>         =09</sec:realm>
>       =09</sec:role>
>       =09<sec:role role-name=3D"Support">
>     =09=09<sec:realm realm-name=3D"app-dev-ldap-realm">
>         =09=09<sec:principal name=3D"GP-ZONE3-AXE-MANAGER"
>         =09=09=09class=3D"org.apache.geronimo.security.realm.providers.Ge=
ronimoGroupPrincipal" />
>         =09</sec:realm>
>       =09</sec:role>
>       =09<sec:role role-name=3D"Admin">
>     =09=09<sec:realm realm-name=3D"app-dev-ldap-realm">
>         =09=09<sec:principal name=3D"GP-ZONE3-AXE-MANAGER"
>         =09=09=09class=3D"org.apache.geronimo.security.realm.providers.Ge=
ronimoGroupPrincipal" />
>         =09</sec:realm>
>       =09</sec:role>
>       =09      =09<sec:role role-name=3D"EveryBody">
>     =09=09<sec:realm realm-name=3D"app-dev-ldap-realm">
>         =09=09<sec:principal name=3D"anonymous"
>         =09=09=09class=3D"org.apache.geronimo.security.realm.providers.Ge=
ronimoUserPrincipal" />
>         =09</sec:realm>
>       =09</sec:role>
>     </sec:role-mappings>
>   </sec:security>
> I declare an anonymous user that I map to the EveryBody J2EE role (declar=
ed in web.xml). But when I deploy, login ressources and public pages still =
not be accessible by Everybody (ie : unauthentified user).
> It seems that the <default-principal/> rule do not affect the anonymous r=
ole to an unauthentified user like it should do.

--=20
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: htt=
p://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira