geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: Re: Role-based security question
Date Mon, 07 Aug 2006 13:23:38 GMT
Hi Frank,

I do not know if it is a bug in Geronimo.  A while ago, I have run into the
same problem you faced and overcame it by changing the url-mapping in the
security-constraint.  I suggest you create a bug report in Geronimo JIRA.

Regards,
Vamsi

On 8/7/06, sto@entimo.de <sto@entimo.de> wrote:
>
> Hallo Vamsi,
>
> thank you for your hint. Adding another servlet mapping helped.
> Unfortunately I rely on getPathInfo() on the HttpServletRequest to extract a
> command like 'start' or 'stop'. With the additional servlet mapping the path
> info is now null. But I can find some workaround for this. Is this
> additional servlet mapping specification Geronimo-specific or the standard
> way to apply security constraints? From the servlet specification I was not
> aware of having to specify each secured mapping individually?
>
> Best regards,
> Frank
>
>
>
> ---------- Forwarded message ----------
> From: "Vamsavardhana Reddy" <c1vamsi1c@gmail.com>
> To: user@geronimo.apache.org
> Date: Mon, 7 Aug 2006 15:28:20 +0530
> Subject: Re: Role-based security question
> Verified...
>
> adding another servlet-mapping with /secure/start helps.
>
> changing  the url-pattern to /secure/* in the security-constraint does not
> help.
>
> Thanks,
> Vamsi
>
>
>
> On 8/7/06, sto@entimo.de <sto@entimo.de> wrote:
> >
> > Hallo,
> >
> > I forget to also mention the change of the Gernimo deployment plan that
> > I have applied:
> >
> > ...
> >         <role-mappings>
> >             <role role-name="administrator">
> >                 <principal name="administrator" designated-run-as="true"
> > class="
> > org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> >                 />
> >                 <principal name="root"
> > class="
> > org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> >                 />
> >             </role>
> >         </role-mappings>
> > ...
> >
> > Best regards,
> > Frank
> >
> >
> >
> > ---------- Forwarded message ----------
> > From: sto@entimo.de
> > To: user@geronimo.apache.org
> > Date: Mon, 7 Aug 2006 10:50:17 +0200 (CEST)
> > Subject: Role-based security question
> > Hallo Geronimo users,
> >
> > I have tried to test a simple example concerning role-based security
> > with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo
> > configuration. I hope, some of you can help me.
> > I want to restrict access to the Url secure/start by allowing only the
> > role 'adimistrator' to access them. An excerpt from my web.xml is:
> >
> > <web-app>
> > ...
> >         <servlet>
> >                 <servlet-name>SecuredServlet</servlet-name>
> >                 <servlet-class>test.SecuredServlet </servlet-class>
> >                 <load-on-startup>1</load-on-startup>
> >         </servlet>
> > ...
> >         <servlet-mapping>
> >                 <servlet-name>SecureServlet</servlet-name>
> >                 <url-pattern>/secure/*</url-pattern>
> >         </servlet-mapping>
> > ...
> >           <security-constraint>
> >             <web-resource-collection>
> >               <web-resource-name>AdministratorFunctions</web-resource-name>
> >
> >               <url-pattern>/secure/start</url-pattern>
> >               <http-method>GET</http-method>
> >             </web-resource-collection>
> >             <auth-constraint>
> >                   <role-name>administrator</role-name>
> >             </auth-constraint>
> >           </security-constraint>
> >
> >           <login-config>
> >                 <auth-method>FORM</auth-method>
> >                 <realm-name>MySecurityRealm</realm-name>
> >                 <form-login-config>
> >                         <form-login-page>/login.jsp</form-login-page>
> >                         <form-error-page>/error.jsp</form-error-page>
> >                 </form-login-config>
> >           </login-config>
> >
> >           <security-role>
> >             <role-name>administrator</role-name>
> >           </security-role>
> > </web-app>
> >
> > Only the role administrator should be able to access
> > http://.../secure/start. Now I have created a new security realm
> > MySecurityRealm with Geronimo using Gernimo administration console (login
> > module class
> > org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).
> >
> > The users file contains the following users:
> > secUser=secret
> > unsecUser=secret2
> >
> > The groups file contains the following group mappings:
> > administrator=secUser
> > application=unsecUser
> >
> > For the deployment I used the default deployment plan that can be
> > obtained by clicking the 'usage' link under MySecuriryRealm.
> >
> > When I access the /secure/start Url of the web application I'm initially
> > asked for the password - okay. When I provide wrong password information,
> > I'm directed to the error page - okay. But when I provide valid login
> > information for both users, secUser and secUser2, I get access to the
> > secure/start page. In my opinion, secUser2 should be forbidden to access
> > this page. In a nutshell, all authenticated users can enter my applications,
> > even if they don't belong to my group 'adimistrator'.
> > Hopefully, there is an easy solution.
> >
> > Best regards,
> >
> > Frank
> >
> >
> >
> >
>
>

Mime
View raw message