geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder" <ammul...@alumni.princeton.edu>
Subject Re: Role-based security question
Date Tue, 08 Aug 2006 01:14:35 GMT
Created http://issues.apache.org/jira/browse/GERONIMO-2295

On 8/7/06, Aaron Mulder <ammulder@alumni.princeton.edu> wrote:
> That definitely sounds like a bug.
>
> Thanks,
>      Aaron
>
> On 8/7/06, sto@entimo.de <sto@entimo.de> wrote:
> > Hallo Geronimo users,
> >
> > I have tried to test a simple example concerning role-based security with Geronimo
and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of
you can help me.
> > I want to restrict access to the Url secure/start by allowing only the role 'adimistrator'
to access them. An excerpt from my web.xml is:
> >
> > <web-app>
> > ...
> >         <servlet>
> >                 <servlet-name>SecuredServlet</servlet-name>
> >                 <servlet-class>test.SecuredServlet</servlet-class>
> >                 <load-on-startup>1</load-on-startup>
> >         </servlet>
> > ...
> >         <servlet-mapping>
> >                 <servlet-name>SecureServlet</servlet-name>
> >                 <url-pattern>/secure/*</url-pattern>
> >         </servlet-mapping>
> > ...
> >           <security-constraint>
> >             <web-resource-collection>
> >               <web-resource-name>AdministratorFunctions</web-resource-name>
> >               <url-pattern>/secure/start</url-pattern>
> >               <http-method>GET</http-method>
> >             </web-resource-collection>
> >             <auth-constraint>
> >                   <role-name>administrator</role-name>
> >             </auth-constraint>
> >           </security-constraint>
> >
> >           <login-config>
> >                 <auth-method>FORM</auth-method>
> >                 <realm-name>MySecurityRealm</realm-name>
> >                 <form-login-config>
> >                         <form-login-page>/login.jsp</form-login-page>
> >                         <form-error-page>/error.jsp</form-error-page>
> >                 </form-login-config>
> >           </login-config>
> >
> >           <security-role>
> >             <role-name>administrator</role-name>
> >           </security-role>
> > </web-app>
> >
> > Only the role administrator should be able to access http://.../secure/start. Now
I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration
console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).
> >
> > The users file contains the following users:
> > secUser=secret
> > unsecUser=secret2
> >
> > The groups file contains the following group mappings:
> > administrator=secUser
> > application=unsecUser
> >
> > For the deployment I used the default deployment plan that can be obtained by clicking
the 'usage' link under MySecuriryRealm.
> >
> > When I access the /secure/start Url of the web application I'm initially asked for
the password - okay. When I provide wrong password information, I'm directed to the error
page - okay. But when I provide valid login information for both users, secUser and secUser2,
I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access
this page. In a nutshell, all authenticated users can enter my applications, even if they
don't belong to my group 'adimistrator'.
> > Hopefully, there is an easy solution.
> >
> > Best regards,
> >
> > Frank
> >
> >
>

Mime
View raw message