See if adding another servlet-mapping with /secure/start helps.


On 8/7/06, <> wrote:

I forget to also mention the change of the Gernimo deployment plan that I have applied:

            <role role-name="administrator">
                <principal name="administrator" designated-run-as="true"
                <principal name="root"

Best regards,

---------- Forwarded message ----------
Date: Mon, 7 Aug 2006 10:50:17 +0200 (CEST)
Subject: Role-based security question
Hallo Geronimo users,

I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.
I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:

                <servlet-class>test.SecuredServlet </servlet-class>



Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class

The users file contains the following users:

The groups file contains the following group mappings:

For the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.

When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.
Hopefully, there is an easy solution.

Best regards,