geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-3357) <run-as> role is ignored in web.xml
Date Tue, 31 Jul 2007 23:11:54 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12516820
] 

David Jencks commented on GERONIMO-3357:
----------------------------------------

OK, with your app I see the problem, at least in jetty.  The difference between our apps is
that yours uses the default subject in the web app, whereas mine uses an authenticated subject
in the web app.

> <run-as> role is ignored in web.xml
> -----------------------------------
>
>                 Key: GERONIMO-3357
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3357
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0-M7
>         Environment: Windows XP SP2
>            Reporter: Aman Nanner
>            Assignee: David Jencks
>            Priority: Critical
>             Fix For: 2.0
>
>         Attachments: testing.ear.zip
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are
ignored.  For example, consider the following web.xml fragment:
> {code:xml}
>    <servlet>
>       <servlet-name>ExceptionPage</servlet-name>
>       <jsp-file>/error/Exception.jsp</jsp-file>
>       <run-as>
>          <role-name>TESTSYSTEM</role-name>
>       </run-as>
>    </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted
EJBs fails from the JSP.  I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the
credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
>    <security:security>
>          <security:credential-store>
>              <security:pattern>
>                  <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
>              </security:pattern>
>          </security:credential-store>
>       <security:role-mappings>
>          <security:role role-name="TESTSYSTEM">
>             <security:run-as-subject>
>              <security:realm>TestingRealm</security:realm>
>              <security:id>test-system</security:id>
>             </security:run-as-subject>
>             <security:realm realm-name="TestingRealm">
>                <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
>             </security:realm>
>          </security:role>
>       </security:role-mappings>
>    </security:security>
>    <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>       <sys:attribute name="realmName">TestingRealm</sys:attribute>
>       <sys:reference name="ServerInfo">
>          <sys:name>ServerInfo</sys:name>
>       </sys:reference>
>       <sys:xml-reference name="LoginModuleConfiguration">
>          <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>             <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>                <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
>                <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
>                <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
>                <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
>                <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
>             </log:login-module>
>          </log:login-config>
>       </sys:xml-reference>
>    </sys:gbean>
>    <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>       <xml-attribute name="credentialStore">
>          <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
>             <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
>             <realm name="TestingRealm">
>                <subject>
>                    <id>test-system</id>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
>                       <value>ananner</value>
>                    </credential>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
>                       <value>password</value>
>                    </credential>
>                </subject>
>             </realm>
>          </credential-store>
>       </xml-attribute>
>    </sys:gbean>
> {code}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message