geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aman Nanner/MxI Technologies <aman.nan...@mxi.com>
Subject Re: Geronimo role security
Date Wed, 18 Jul 2007 03:15:10 GMT
It would appear that the TomcatGeronimoRealm.hasResourcePermission(...)
method does not apply the <run-as> role if one is defined.  If this indeed
the case, then I believe this is a bug....

Aman Nanner/MxI Technologies <aman.nanner@mxi.com> wrote on 07-17-2007
10:55:23 PM:

>
> Hi,
>
> I'm using the latest Geronimo 2.0 snapshot from the codebase.  I
understand
> that security has changed somewhat from Geronimo 1.2.  I'm running into
an
> issue where I have a JSP with a specific "run-as" role calling a secured
> EJB.  This JSP has its run-as role defined in the web.xml as follows:
>
> ----
>    <servlet>
>       <servlet-name>MessagePage</servlet-name>
>       <jsp-file>/common/Message.jsp</jsp-file>
>       <run-as>
>          <role-name>TESTSYSTEM</role-name>
>       </run-as>
>    </servlet>
> ----
>
>
>  I have a default run-as role mapped in my geronimo-application.xml in my
> EAR as follows:
>
> ----
>    <security:security>
>       <security:default-principal>
>          <security:principal
>
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> name="" />
>       </security:default-principal>
>       <security:role-mappings>
>          <security:role role-name="TESTSYSTEM">
>             <security:principal
>
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> name="test-system" designated-run-as="true" />
>          </security:role>
>       </security:role-mappings>
>    </security:security>
> ----
>
> This used to work in Geronimo 1.2, but it appears now that the JSP does
not
> run with the run-as principal; rather it seems that it runs with no
> principals.  Therefore, the call to the secured EJB causes a security
> access exception.  Is this supposed to work the same way in Geronimo 2.0?
> If so, then maybe this is a problem in Tomcat ....
>
> Thanks,
> Aman
>
>
__________________________________________________________________________________

> * This message is intended only for the use of the individual or
> entity to which it is addressed, and may contain information that is
> privileged, confidential and exempt from disclosure under applicable
> law. Unless you are the addressee (or authorized to receive for the
> addressee), you may not use, copy or disclose the message or any
> information contained in the message. If you have received this
> message in error, please advise the sender by reply e-mail , and
> delete the message, or call (collect) 001 613 747 4698. *
>

__________________________________________________________________________________
* This message is intended only for the use of the individual or entity to which it is addressed,
and may contain information that is privileged, confidential and exempt from disclosure under
applicable law. Unless you are the addressee (or authorized to receive for the addressee),
you may not use, copy or disclose the message or any information contained in the message.
If you have received this message in error, please advise the sender by reply e-mail , and
delete the message, or call (collect) 001 613 747 4698. *


Mime
View raw message