geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Assigned: (GERONIMO-3357) <run-as> role is ignored in web.xml
Date Fri, 27 Jul 2007 03:23:03 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Jencks reassigned GERONIMO-3357:
--------------------------------------

    Assignee: David Jencks

> <run-as> role is ignored in web.xml
> -----------------------------------
>
>                 Key: GERONIMO-3357
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3357
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0-M7
>         Environment: Windows XP SP2
>            Reporter: Aman Nanner
>            Assignee: David Jencks
>            Priority: Critical
>             Fix For: 2.0
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are
ignored.  For example, consider the following web.xml fragment:
> {code:xml}
>    <servlet>
>       <servlet-name>ExceptionPage</servlet-name>
>       <jsp-file>/error/Exception.jsp</jsp-file>
>       <run-as>
>          <role-name>TESTSYSTEM</role-name>
>       </run-as>
>    </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted
EJBs fails from the JSP.  I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the
credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
>    <security:security>
>          <security:credential-store>
>              <security:pattern>
>                  <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
>              </security:pattern>
>          </security:credential-store>
>       <security:role-mappings>
>          <security:role role-name="TESTSYSTEM">
>             <security:run-as-subject>
>              <security:realm>TestingRealm</security:realm>
>              <security:id>test-system</security:id>
>             </security:run-as-subject>
>             <security:realm realm-name="TestingRealm">
>                <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
>             </security:realm>
>          </security:role>
>       </security:role-mappings>
>    </security:security>
>    <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>       <sys:attribute name="realmName">TestingRealm</sys:attribute>
>       <sys:reference name="ServerInfo">
>          <sys:name>ServerInfo</sys:name>
>       </sys:reference>
>       <sys:xml-reference name="LoginModuleConfiguration">
>          <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>             <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>                <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
>                <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
>                <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
>                <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
>                <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
>             </log:login-module>
>          </log:login-config>
>       </sys:xml-reference>
>    </sys:gbean>
>    <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>       <xml-attribute name="credentialStore">
>          <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
>             <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
>             <realm name="TestingRealm">
>                <subject>
>                    <id>test-system</id>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
>                       <value>ananner</value>
>                    </credential>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
>                       <value>password</value>
>                    </credential>
>                </subject>
>             </realm>
>          </credential-store>
>       </xml-attribute>
>    </sys:gbean>
> {code}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message