geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s..@entimo.de
Subject Role-based security question
Date Mon, 07 Aug 2006 08:50:17 GMT
Hallo Geronimo users,

I have tried to test a simple example concerning role-based security with Geronimo and havn't
succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help
me.
I want to restrict access to the Url secure/start by allowing only the role 'adimistrator'
to access them. An excerpt from my web.xml is:

<web-app>
...
	<servlet>
		<servlet-name>SecuredServlet</servlet-name>
		<servlet-class>test.SecuredServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
...
	<servlet-mapping>
		<servlet-name>SecureServlet</servlet-name>
		<url-pattern>/secure/*</url-pattern>
	</servlet-mapping>
...
	  <security-constraint>
	    <web-resource-collection>
	      <web-resource-name>AdministratorFunctions</web-resource-name>
	      <url-pattern>/secure/start</url-pattern>
	      <http-method>GET</http-method>
	    </web-resource-collection>
	    <auth-constraint>
		  <role-name>administrator</role-name>
	    </auth-constraint>
	  </security-constraint>
	  
	  <login-config>
		<auth-method>FORM</auth-method>
		<realm-name>MySecurityRealm</realm-name>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/error.jsp</form-error-page>
		</form-login-config>
	  </login-config>
	
	  <security-role>
	    <role-name>administrator</role-name>
	  </security-role>
</web-app>

Only the role administrator should be able to access http://.../secure/start. Now I have created
a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login
module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).

The users file contains the following users:
secUser=secret
unsecUser=secret2

The groups file contains the following group mappings:
administrator=secUser
application=unsecUser

For the deployment I used the default deployment plan that can be obtained by clicking the
'usage' link under MySecuriryRealm.

When I access the /secure/start Url of the web application I'm initially asked for the password
- okay. When I provide wrong password information, I'm directed to the error page - okay.
But when I provide valid login information for both users, secUser and secUser2, I get access
to the secure/start page. In my opinion, secUser2 should be forbidden to access this page.
In a nutshell, all authenticated users can enter my applications, even if they don't belong
to my group 'adimistrator'.
Hopefully, there is an easy solution.

Best regards,

Frank


Mime
View raw message