geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Closed: (GERONIMO-2564) Declaration of an anonymous role in geronimo-web.xml
Date Mon, 27 Jul 2009 06:10:15 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-2564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Jencks closed GERONIMO-2564.
----------------------------------

    Resolution: Cannot Reproduce
      Assignee: David Jencks

In 2.2 (and earlier) you can specify a default subject for web apps.  This is obtained by
logging in to some security realm.  Whatever principals are in the subject (determined by
the security realm), you will get the permissions mapped to those principals.  This is not
the same as what websphere does but does let you assign permissions to the unauthenticated
user.

> Declaration of an anonymous role in geronimo-web.xml
> ----------------------------------------------------
>
>                 Key: GERONIMO-2564
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-2564
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 1.1.1
>         Environment: Windows XP / Novell LDAP
>            Reporter: Jérôme GODARD
>            Assignee: David Jencks
>            Priority: Critical
>         Attachments: geronimo-web.xml
>
>
> I want to automate the migration of a JSF WAS6 application to Geronimo.
> I try to defined a anonymous role like the J2EE role "EveryBody" in Websphere Application
Server 6.
> My policy is to secure all the application (all jsp files of my web folder) except the
jsp in the subfolders "public" and "login" (since defining a security constraint on /* doesn't
work, I declare a security rules on *.faces).
> To do that, I first defined my security constraints in web.xml :
> I use 4 roles : User, Support, Admin and Everybody
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>AllURI</web-resource-name>
> 			<description>Represent all the application URI</description>
> 			<url-pattern>*.faces</url-pattern>
> 			<url-pattern>/faces/*</url-pattern>
> 			<url-pattern>*.jsp</url-pattern>
> 			<url-pattern>*.jsf</url-pattern>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<description />
> 			<role-name>User</role-name>
> 			<role-name>Admin</role-name>
> 			<role-name>Support</role-name>
> 		</auth-constraint>
> 		<user-data-constraint>
> 			<transport-guarantee>NONE</transport-guarantee>
> 		</user-data-constraint>
> 	</security-constraint>
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>Login</web-resource-name>
> 			<description>The login page resource</description>
> 			<url-pattern>/login/*</url-pattern>
> 			<http-method>GET</http-method>
> 			<http-method>POST</http-method>
> 		</web-resource-collection>	
> 		<auth-constraint>
> 			<description />
> 			<role-name>EveryBody</role-name>
> 		</auth-constraint>
> 		<user-data-constraint>
> 			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> 		</user-data-constraint>
> 	</security-constraint>
> 	<security-constraint>
> 		<display-name>Constraints PUBLIC</display-name>
> 		<web-resource-collection>
> 			<web-resource-name>Theme Resources</web-resource-name>
> 			<description />
> 			<url-pattern>/templates/*</url-pattern>
> 			<url-pattern>/index.jsp</url-pattern>
> 			<url-pattern>/jscookmenu/*</url-pattern>
> 			<url-pattern>/</url-pattern>
> 			<http-method>GET</http-method>
> 		</web-resource-collection>
> 		<web-resource-collection>
> 			<web-resource-name>Public Area</web-resource-name>
> 			<description>allows acces under /public/</description>
> 			<url-pattern>/public/*</url-pattern>
> 			<http-method>GET</http-method>
> 			<http-method>POST</http-method>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<description />
> 			<role-name>EveryBody</role-name>
> 		</auth-constraint>
> 		<user-data-constraint>
> 			<transport-guarantee>NONE</transport-guarantee>
> 		</user-data-constraint>
> 	</security-constraint>
> 	<!-- Define the Login Configuration for the service provider -->
> 	<login-config>
> 		<auth-method>FORM</auth-method>
> 		<form-login-config>
> 			<form-login-page>/login/login.jsp</form-login-page>
> 			<form-error-page>/login/loginError.jsp</form-error-page>
> 		</form-login-config>
> 	</login-config>
> When I deploy it on geronimo, I use the following geronimo-web.xml file :
>   <security-realm-name>app-dev-ldap-realm</security-realm-name>
>   <sec:security>
>     <sec:default-principal realm-name="app-dev-ldap-realm">
> 		<sec:principal name="anonymous"
>       				 class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
>     </sec:default-principal>
>     <sec:role-mappings>
>     
>     	<sec:role role-name="User">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-USER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
designated-run-as="true" />
>         	</sec:realm>
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-MANAGER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>       	<sec:role role-name="Support">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-MANAGER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>       	<sec:role role-name="Admin">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="GP-ZONE3-AXE-MANAGER"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>       	      	<sec:role role-name="EveryBody">
>     		<sec:realm realm-name="app-dev-ldap-realm">
>         		<sec:principal name="anonymous"
>         			class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
>         	</sec:realm>
>       	</sec:role>
>     </sec:role-mappings>
>   </sec:security>
> I declare an anonymous user that I map to the EveryBody J2EE role (declared in web.xml).
But when I deploy, login ressources and public pages still not be accessible by Everybody
(ie : unauthentified user).
> It seems that the <default-principal/> rule do not affect the anonymous role to
an unauthentified user like it should do.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message