geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <l...@toolazydogs.com>
Subject Re: Role-based security question
Date Thu, 10 Aug 2006 07:46:27 GMT
Should be fixed.  Thanks for uncovering this!


Regards,
Alan

Aaron Mulder wrote:
> Created http://issues.apache.org/jira/browse/GERONIMO-2295
>
> On 8/7/06, Aaron Mulder <ammulder@alumni.princeton.edu> wrote:
>> That definitely sounds like a bug.
>>
>> Thanks,
>>      Aaron
>>
>> On 8/7/06, sto@entimo.de <sto@entimo.de> wrote:
>> > Hallo Geronimo users,
>> >
>> > I have tried to test a simple example concerning role-based 
>> security with Geronimo and havn't succeed. Maybe my example is wrong 
>> or my Geronimo configuration. I hope, some of you can help me.
>> > I want to restrict access to the Url secure/start by allowing only 
>> the role 'adimistrator' to access them. An excerpt from my web.xml is:
>> >
>> > <web-app>
>> > ...
>> >         <servlet>
>> >                 <servlet-name>SecuredServlet</servlet-name>
>> >                 <servlet-class>test.SecuredServlet</servlet-class>
>> >                 <load-on-startup>1</load-on-startup>
>> >         </servlet>
>> > ...
>> >         <servlet-mapping>
>> >                 <servlet-name>SecureServlet</servlet-name>
>> >                 <url-pattern>/secure/*</url-pattern>
>> >         </servlet-mapping>
>> > ...
>> >           <security-constraint>
>> >             <web-resource-collection>
>> >               
>> <web-resource-name>AdministratorFunctions</web-resource-name>
>> >               <url-pattern>/secure/start</url-pattern>
>> >               <http-method>GET</http-method>
>> >             </web-resource-collection>
>> >             <auth-constraint>
>> >                   <role-name>administrator</role-name>
>> >             </auth-constraint>
>> >           </security-constraint>
>> >
>> >           <login-config>
>> >                 <auth-method>FORM</auth-method>
>> >                 <realm-name>MySecurityRealm</realm-name>
>> >                 <form-login-config>
>> >                         <form-login-page>/login.jsp</form-login-page>
>> >                         <form-error-page>/error.jsp</form-error-page>
>> >                 </form-login-config>
>> >           </login-config>
>> >
>> >           <security-role>
>> >             <role-name>administrator</role-name>
>> >           </security-role>
>> > </web-app>
>> >
>> > Only the role administrator should be able to access 
>> http://.../secure/start. Now I have created a new security realm 
>> MySecurityRealm with Geronimo using Gernimo administration console 
>> (login module class 
>> org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).
>> >
>> > The users file contains the following users:
>> > secUser=secret
>> > unsecUser=secret2
>> >
>> > The groups file contains the following group mappings:
>> > administrator=secUser
>> > application=unsecUser
>> >
>> > For the deployment I used the default deployment plan that can be 
>> obtained by clicking the 'usage' link under MySecuriryRealm.
>> >
>> > When I access the /secure/start Url of the web application I'm 
>> initially asked for the password - okay. When I provide wrong 
>> password information, I'm directed to the error page - okay. But when 
>> I provide valid login information for both users, secUser and 
>> secUser2, I get access to the secure/start page. In my opinion, 
>> secUser2 should be forbidden to access this page. In a nutshell, all 
>> authenticated users can enter my applications, even if they don't 
>> belong to my group 'adimistrator'.
>> > Hopefully, there is an easy solution.
>> >
>> > Best regards,
>> >
>> > Frank
>> >
>> >
>>


Mime
View raw message