geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aman Nanner (JIRA)" <>
Subject [jira] Created: (GERONIMO-3357) <run-as> role is ignored in web.xml
Date Thu, 26 Jul 2007 21:10:04 GMT
<run-as> role is ignored in web.xml

                 Key: GERONIMO-3357
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security
    Affects Versions: 2.0-M7
         Environment: Windows XP SP2
            Reporter: Aman Nanner
            Priority: Critical
             Fix For: 2.0

It seems that any <run-as> roles defined in a web.xml of a web application are ignored.
 For example, consider the following web.xml fragment:


The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted
EJBs fails from the JSP.  I cannot see in the
TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential
store to get the run-as subject.

Below is the fragment of my geronimo-application.xml where I define the
security policy:
         <security:role role-name="TESTSYSTEM">
            <security:realm realm-name="TestingRealm">
name="TESTSYSTEM" />
   <sys:gbean name="TestingRealm"
      <sys:attribute name="realmName">TestingRealm</sys:attribute>
      <sys:reference name="ServerInfo">
      <sys:xml-reference name="LoginModuleConfiguration">
            <log:login-module control-flag="REQUIRED"

               <log:option name="userSelect">SELECT username, password FROM
utl_user WHERE username=?</log:option>
               <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
role_name FROM dual</log:option>
   <sys:gbean name="MyCredentialStore"
      <xml-attribute name="credentialStore">
            <!-- uncomment this and the default subject in the jettty
console plan gives you admin console permissions -->
            <realm name="TestingRealm">



This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message