geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aman Nanner (JIRA)" <j...@apache.org>
Subject [jira] Created: (GERONIMO-3357) <run-as> role is ignored in web.xml
Date Thu, 26 Jul 2007 21:10:04 GMT
<run-as> role is ignored in web.xml
-----------------------------------

                 Key: GERONIMO-3357
                 URL: https://issues.apache.org/jira/browse/GERONIMO-3357
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security
    Affects Versions: 2.0-M7
         Environment: Windows XP SP2
            Reporter: Aman Nanner
            Priority: Critical
             Fix For: 2.0


It seems that any <run-as> roles defined in a web.xml of a web application are ignored.
 For example, consider the following web.xml fragment:

{code:xml}
   <servlet>
      <servlet-name>ExceptionPage</servlet-name>
      <jsp-file>/error/Exception.jsp</jsp-file>
      <run-as>
         <role-name>TESTSYSTEM</role-name>
      </run-as>
   </servlet>
{code}

The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted
EJBs fails from the JSP.  I cannot see in the
TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential
store to get the run-as subject.

Below is the fragment of my geronimo-application.xml where I define the
security policy:
{code:xml}
   <security:security>
         <security:credential-store>
             <security:pattern>
                 <sys:name
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
             </security:pattern>
         </security:credential-store>
      <security:role-mappings>
         <security:role role-name="TESTSYSTEM">
            <security:run-as-subject>
             <security:realm>TestingRealm</security:realm>
             <security:id>test-system</security:id>
            </security:run-as-subject>
            <security:realm realm-name="TestingRealm">
               <security:principal
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="TESTSYSTEM" />
            </security:realm>
         </security:role>
      </security:role-mappings>
   </security:security>
   <sys:gbean name="TestingRealm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
      <sys:attribute name="realmName">TestingRealm</sys:attribute>
      <sys:reference name="ServerInfo">
         <sys:name>ServerInfo</sys:name>
      </sys:reference>
      <sys:xml-reference name="LoginModuleConfiguration">
         <log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
            <log:login-module control-flag="REQUIRED"
wrap-principals="false">
               <log:login-domain-name>TestingRealm</log:login-domain-name>

<log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
               <log:option name="userSelect">SELECT username, password FROM
utl_user WHERE username=?</log:option>
               <log:option
name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
               <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
role_name FROM dual</log:option>
               <log:option
name="dataSourceName">com/testing/jdbc/TestDS</log:option>
            </log:login-module>
         </log:login-config>
      </sys:xml-reference>
   </sys:gbean>
   <sys:gbean name="MyCredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
      <xml-attribute name="credentialStore">
         <credential-store
xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
            <!-- uncomment this and the default subject in the jettty
console plan gives you admin console permissions -->
            <realm name="TestingRealm">
               <subject>
                   <id>test-system</id>
                   <credential>

<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
                      <value>ananner</value>
                   </credential>
                   <credential>

<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
                      <value>password</value>
                   </credential>
               </subject>
            </realm>
         </credential-store>
      </xml-attribute>
   </sys:gbean>
{code}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message