From user-return-4409-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Mon Aug 07 09:53:06 2006 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 35672 invoked from network); 7 Aug 2006 09:53:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 7 Aug 2006 09:53:06 -0000 Received: (qmail 48817 invoked by uid 500); 7 Aug 2006 09:53:02 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 48781 invoked by uid 500); 7 Aug 2006 09:53:02 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 48770 invoked by uid 99); 7 Aug 2006 09:53:02 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Aug 2006 02:53:02 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=DNS_FROM_RFC_ABUSE,FROM_HAS_MIXED_NUMS,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of c1vamsi1c@gmail.com designates 64.233.182.191 as permitted sender) Received: from [64.233.182.191] (HELO nf-out-0910.google.com) (64.233.182.191) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Aug 2006 02:52:37 -0700 Received: by nf-out-0910.google.com with SMTP id l36so2278680nfa for ; Mon, 07 Aug 2006 02:51:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=lHfL0qzpeWt6SBuj0q6OrMKW/be2t/2OoT0rFBa2TVw8oY2OfqfYrMPN+lUwX4YQeQ588nH92Tir2pOfJ3iAEnir4rpyQsPNPk/WY3sGnycKOSDhmXcE+FJX3HdxWhcwI+WrMV64vlVDsN0srmJ2V17kUaej8KMKNlQaluE3Gs0= Received: by 10.78.180.18 with SMTP id c18mr2341482huf; Mon, 07 Aug 2006 02:44:35 -0700 (PDT) Received: by 10.78.69.6 with HTTP; Mon, 7 Aug 2006 02:44:35 -0700 (PDT) Message-ID: <22d56c4d0608070244r5b4d4689p5b9c8e9f784ade3f@mail.gmail.com> Date: Mon, 7 Aug 2006 15:14:35 +0530 From: "Vamsavardhana Reddy" To: user@geronimo.apache.org Subject: Re: Role-based security question In-Reply-To: <6065934.1154942187650.JavaMail.oracle@miraculix.entimo.de> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_79699_20818418.1154943875378" References: <6065934.1154942187650.JavaMail.oracle@miraculix.entimo.de> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N ------=_Part_79699_20818418.1154943875378 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline See if adding another servlet-mapping with /secure/start helps. Thanks, Vamsi On 8/7/06, sto@entimo.de wrote: > > Hallo, > > I forget to also mention the change of the Gernimo deployment plan that I > have applied: > > ... > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal > " > /> > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" > /> > > > ... > > Best regards, > Frank > > > > ---------- Forwarded message ---------- > From: sto@entimo.de > To: user@geronimo.apache.org > Date: Mon, 7 Aug 2006 10:50:17 +0200 (CEST) > Subject: Role-based security question > Hallo Geronimo users, > > I have tried to test a simple example concerning role-based security with > Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo > configuration. I hope, some of you can help me. > I want to restrict access to the Url secure/start by allowing only the > role 'adimistrator' to access them. An excerpt from my web.xml is: > > > ... > > SecuredServlet > test.SecuredServlet > 1 > > ... > > SecureServlet > /secure/* > > ... > > > > AdministratorFunctions > /secure/start > GET > > > administrator > > > > > FORM > MySecurityRealm > > /login.jsp > /error.jsp > > > > > administrator > > > > Only the role administrator should be able to access > http://.../secure/start. Now I have created a new security realm > MySecurityRealm with Geronimo using Gernimo administration console (login > module class > org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule). > > The users file contains the following users: > secUser=secret > unsecUser=secret2 > > The groups file contains the following group mappings: > administrator=secUser > application=unsecUser > > For the deployment I used the default deployment plan that can be obtained > by clicking the 'usage' link under MySecuriryRealm. > > When I access the /secure/start Url of the web application I'm initially > asked for the password - okay. When I provide wrong password information, > I'm directed to the error page - okay. But when I provide valid login > information for both users, secUser and secUser2, I get access to the > secure/start page. In my opinion, secUser2 should be forbidden to access > this page. In a nutshell, all authenticated users can enter my applications, > even if they don't belong to my group 'adimistrator'. > Hopefully, there is an easy solution. > > Best regards, > > Frank > > > > ------=_Part_79699_20818418.1154943875378 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline See if adding another servlet-mapping with /secure/start helps.

Thanks,
Vamsi

On 8/7/06, sto@entimo.de <sto@entimo.de> wrote:
Hallo,

I forget to also mention the change of the Gernimo deployment plan that I have applied:

...
        <role-mappings>
            <role role-name="administrator">
                <principal name="administrator" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
                />
                <principal name="root"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
                />
            </role>
        </role-mappings>
...

Best regards,
Frank



---------- Forwarded message ----------
From: sto@entimo.de
To: user@geronimo.apache.org
Date: Mon, 7 Aug 2006 10:50:17 +0200 (CEST)
Subject: Role-based security question
Hallo Geronimo users,

I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.
I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:

<web-app>
...
        <servlet>
                <servlet-name>SecuredServlet</servlet-name>
                <servlet-class>test.SecuredServlet </servlet-class>
                <load-on-startup>1</load-on-startup>
        </servlet>
...
        <servlet-mapping>
                <servlet-name>SecureServlet</servlet-name>
                <url-pattern>/secure/*</url-pattern>
        </servlet-mapping>
...
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>AdministratorFunctions</web-resource-name>
              <url-pattern>/secure/start</url-pattern>
              <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
                  <role-name>administrator</role-name>
            </auth-constraint>
          </security-constraint>

          <login-config>
                <auth-method>FORM</auth-method>
                <realm-name>MySecurityRealm</realm-name>
                <form-login-config>
                        <form-login-page>/login.jsp</form-login-page>
                        <form-error-page>/error.jsp</form-error-page>
                </form-login-config>
          </login-config>

          <security-role>
            <role-name>administrator</role-name>
          </security-role>
</web-app>

Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).

The users file contains the following users:
secUser=secret
unsecUser=secret2

The groups file contains the following group mappings:
administrator=secUser
application=unsecUser

For the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.

When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.
Hopefully, there is an easy solution.

Best regards,

Frank




------=_Part_79699_20818418.1154943875378--