geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: Role-based security question
Date Mon, 07 Aug 2006 09:46:45 GMT
Or change the url-pattern to /secure/* in the security-constraint.

Thanks,
Vamsi.

On 8/7/06, sto@entimo.de <sto@entimo.de> wrote:
>
> Hallo,
>
> I forget to also mention the change of the Gernimo deployment plan that I
> have applied:
>
> ...
>         <role-mappings>
>             <role role-name="administrator">
>                 <principal name="administrator" designated-run-as="true"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal
> "
>                 />
>                 <principal name="root"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
>                 />
>             </role>
>         </role-mappings>
> ...
>
> Best regards,
> Frank
>
>
>
> ---------- Forwarded message ----------
> From: sto@entimo.de
> To: user@geronimo.apache.org
> Date: Mon, 7 Aug 2006 10:50:17 +0200 (CEST)
> Subject: Role-based security question
> Hallo Geronimo users,
>
> I have tried to test a simple example concerning role-based security with
> Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo
> configuration. I hope, some of you can help me.
> I want to restrict access to the Url secure/start by allowing only the
> role 'adimistrator' to access them. An excerpt from my web.xml is:
>
> <web-app>
> ...
>         <servlet>
>                 <servlet-name>SecuredServlet</servlet-name>
>                 <servlet-class>test.SecuredServlet</servlet-class>
>                 <load-on-startup>1</load-on-startup>
>         </servlet>
> ...
>         <servlet-mapping>
>                 <servlet-name>SecureServlet</servlet-name>
>                 <url-pattern>/secure/*</url-pattern>
>         </servlet-mapping>
> ...
>           <security-constraint>
>             <web-resource-collection>
>
>               <web-resource-name>AdministratorFunctions</web-resource-name>
>               <url-pattern>/secure/start</url-pattern>
>               <http-method>GET</http-method>
>             </web-resource-collection>
>             <auth-constraint>
>                   <role-name>administrator</role-name>
>             </auth-constraint>
>           </security-constraint>
>
>           <login-config>
>                 <auth-method>FORM</auth-method>
>                 <realm-name>MySecurityRealm</realm-name>
>                 <form-login-config>
>                         <form-login-page>/login.jsp</form-login-page>
>                         <form-error-page>/error.jsp</form-error-page>
>                 </form-login-config>
>           </login-config>
>
>           <security-role>
>             <role-name>administrator</role-name>
>           </security-role>
> </web-app>
>
> Only the role administrator should be able to access
> http://.../secure/start. Now I have created a new security realm
> MySecurityRealm with Geronimo using Gernimo administration console (login
> module class
> org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).
>
> The users file contains the following users:
> secUser=secret
> unsecUser=secret2
>
> The groups file contains the following group mappings:
> administrator=secUser
> application=unsecUser
>
> For the deployment I used the default deployment plan that can be obtained
> by clicking the 'usage' link under MySecuriryRealm.
>
> When I access the /secure/start Url of the web application I'm initially
> asked for the password - okay. When I provide wrong password information,
> I'm directed to the error page - okay. But when I provide valid login
> information for both users, secUser and secUser2, I get access to the
> secure/start page. In my opinion, secUser2 should be forbidden to access
> this page. In a nutshell, all authenticated users can enter my applications,
> even if they don't belong to my group 'adimistrator'.
> Hopefully, there is an easy solution.
>
> Best regards,
>
> Frank
>
>
>
>

Mime
View raw message