Hi Frank,

I do not know if it is a bug in Geronimo.  A while ago, I have run into the same problem you faced and overcame it by changing the url-mapping in the security-constraint.  I suggest you create a bug report in Geronimo JIRA.

Regards,
Vamsi

On 8/7/06, sto@entimo.de <sto@entimo.de> wrote:
Hallo Vamsi,

thank you for your hint. Adding another servlet mapping helped. Unfortunately I rely on getPathInfo() on the HttpServletRequest to extract a command like 'start' or 'stop'. With the additional servlet mapping the path info is now null. But I can find some workaround for this. Is this additional servlet mapping specification Geronimo-specific or the standard way to apply security constraints? From the servlet specification I was not aware of having to specify each secured mapping individually?

Best regards,
Frank



---------- Forwarded message ----------
From: "Vamsavardhana Reddy" < c1vamsi1c@gmail.com>
To: user@geronimo.apache.org
Date: Mon, 7 Aug 2006 15:28:20 +0530
Subject: Re: Role-based security question
Verified...

adding another servlet-mapping with /secure/start helps.

changing  the url-pattern to /secure/* in the security-constraint does not help.

Thanks,
Vamsi



On 8/7/06, sto@entimo.de < sto@entimo.de> wrote:
Hallo,

I forget to also mention the change of the Gernimo deployment plan that I have applied:

...
        <role-mappings>
            <role role-name="administrator">
                <principal name="administrator" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
                />
                <principal name="root"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
                />
            </role>
        </role-mappings>
...

Best regards,
Frank



---------- Forwarded message ----------
From: sto@entimo.de
To: user@geronimo.apache.org
Date: Mon, 7 Aug 2006 10:50:17 +0200 (CEST)
Subject: Role-based security question
Hallo Geronimo users,

I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.
I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:

<web-app>
...
        <servlet>
                <servlet-name>SecuredServlet</servlet-name>
                <servlet-class>test.SecuredServlet </servlet-class>
                <load-on-startup>1</load-on-startup>
        </servlet>
...
        <servlet-mapping>
                <servlet-name>SecureServlet</servlet-name>
                <url-pattern>/secure/*</url-pattern>
        </servlet-mapping>
...
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>AdministratorFunctions</web-resource-name>
              <url-pattern>/secure/start</url-pattern>
              <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
                  <role-name>administrator</role-name>
            </auth-constraint>
          </security-constraint>

          <login-config>
                <auth-method>FORM</auth-method>
                <realm-name>MySecurityRealm</realm-name>
                <form-login-config>
                        <form-login-page>/login.jsp</form-login-page>
                        <form-error-page>/error.jsp</form-error-page>
                </form-login-config>
          </login-config>

          <security-role>
            <role-name>administrator</role-name>
          </security-role>
</web-app>

Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).

The users file contains the following users:
secUser=secret
unsecUser=secret2

The groups file contains the following group mappings:
administrator=secUser
application=unsecUser

For the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.

When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.
Hopefully, there is an easy solution.

Best regards,

Frank