geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Clough <...@allthisisthat.com>
Subject Re: security constraint question
Date Sun, 27 Sep 2009 02:41:10 GMT

David, thanks for your reply,

I'm using Geronimo 2.1.4, the latest.  When you mention that you think it
works in 2.2, is that speaking of the future, or a typo?

Here is the a portion of the geronimo-application.xml file:

    <module>
     	<web>RiskPortal_Kamakura_v3.1.00_b4667.war</web>
    	
     		<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"
    				xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.0" >
 
				<naming:resource-ref>
			        <naming:ref-name>jdbc/RP_DB</naming:ref-name>
			        <naming:resource-link>RPSystemDB</naming:resource-link>
			    </naming:resource-ref>
			    
    		</web-app> 
    	
    </module>
 
 	<sec:security></sec:security>

The security element is the same as in geronimo-web.xml which deploys
properly.  The security element in web.xml just prevents direct access to
the specified resources, and is:

	<security-constraint>
		<display-name>Unavailable_Raw_Pages</display-name>
		<web-resource-collection>
			<web-resource-name>RawPages</web-resource-name>
 			<url-pattern>*.xhtml</url-pattern>
 			<url-pattern>*.jsp</url-pattern>
 			<url-pattern>*.jspx</url-pattern>
 			<url-pattern>*.tiles</url-pattern>
			<http-method>POST</http-method>
			<http-method>GET</http-method>
			<http-method>PUT</http-method>
			<http-method>DELETE</http-method>
		</web-resource-collection>
		<auth-constraint> </auth-constraint>
	</security-constraint>

I make no claims to understanding geronimo deployment descriptors in detail,
but this seems like this should work.  Am I missing something?

Thanks,
- Ray Clough





djencks wrote:
> 
> Hi Ray, sorry for the delay.
> 
> On Sep 19, 2009, at 5:35 PM, Ray Clough wrote:
> 
>> In my web.xml file I have a security constraint which is intended  
>> simply to block direct access to the jsp, jspx, xhtml files  
>> directly. Here is the snippet from web.xml Unavailable_Raw_Pages  
>> RawPages *.xhtml *.jsp *.jspx *.tiles POST GET PUT DELETE Since no  
>> roles are defined, the content is completely blocked. When I deploy  
>> the app as a WAR file to geronimo, this works well.
> 
> I'm quite surprised at this.  I would expect you would get the same  
> message as you get with an ear.
> 
>> Now when I'm trying to deploy as an EAR, it won't deploy with  
>> message "web.xml for web app XXX.war includes security elements but  
>> Geronimo deployment plan is not provided or does not contain element  
>> necessary to configure security accordingly." I have tried various  
>> different contents in geronimo-application.xml, but I always get the  
>> same error. The app uses custom security, and I do not have any  
>> security realm defined on Geronimo. Can I do this, and if so, how?  
>> Thanks, - Ray Clough
> 
> I'm pretty sure you need the <security/> element but I don't think you  
> need anything inside.  I don't recall if you need a security realm or  
> not.  As you say, you shouldn't really.  I think I remember making  
> this scenario work in 2.2 some time ago: it may not work in 2.1.x.
> 
> I don't suppose you have a simple app to demonstrate the behavior?
> 
> thanks
> david jencks
> 
> 
>> View this message in context: security constraint question
>> Sent from the Apache Geronimo - Users mailing list archive at  
>> Nabble.com.
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/security-constraint-question-tp25526829s134p25630427.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.


Mime
View raw message