 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
10 messages in org.apache.geronimo.userRe: Re: Role-based security question| From | Sent On | Attachments |
|---|---|---|
| st...@entimo.de | Aug 7, 2006 1:49 am | |
| st...@entimo.de | Aug 7, 2006 2:16 am | |
| Vamsavardhana Reddy | Aug 7, 2006 2:44 am | |
| Vamsavardhana Reddy | Aug 7, 2006 2:46 am | |
| Vamsavardhana Reddy | Aug 7, 2006 2:57 am | |
| st...@entimo.de | Aug 7, 2006 6:09 am | |
| Vamsavardhana Reddy | Aug 7, 2006 6:23 am | |
| Aaron Mulder | Aug 7, 2006 7:41 am | |
| Aaron Mulder | Aug 7, 2006 6:14 pm | |
| Alan D. Cabrera | Aug 10, 2006 12:46 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: Re: Role-based security question | Actions... |
|---|---|---|
| From: | Vamsavardhana Reddy (c1va...@gmail.com) | |
| Date: | Aug 7, 2006 6:23:15 am | |
| List: | org.apache.geronimo.user | |
Hi Frank,
I do not know if it is a bug in Geronimo. A while ago, I have run into the same problem you faced and overcame it by changing the url-mapping in the security-constraint. I suggest you create a bug report in Geronimo JIRA.
Regards, Vamsi
On 8/7/06, st...@entimo.de <st...@entimo.de> wrote:
Hallo Vamsi,
thank you for your hint. Adding another servlet mapping helped. Unfortunately I rely on getPathInfo() on the HttpServletRequest to extract a command like 'start' or 'stop'. With the additional servlet mapping the path info is now null. But I can find some workaround for this. Is this additional servlet mapping specification Geronimo-specific or the standard way to apply security constraints? From the servlet specification I was not aware of having to specify each secured mapping individually?
Best regards, Frank
---------- Forwarded message ---------- From: "Vamsavardhana Reddy" <c1va...@gmail.com> To: us...@geronimo.apache.org Date: Mon, 7 Aug 2006 15:28:20 +0530 Subject: Re: Role-based security question Verified...
adding another servlet-mapping with /secure/start helps.
changing the url-pattern to /secure/* in the security-constraint does not help.
Thanks, Vamsi
On 8/7/06, st...@entimo.de <st...@entimo.de> wrote:
Hallo,
I forget to also mention the change of the Gernimo deployment plan that I have applied:
... <role-mappings> <role role-name="administrator"> <principal name="administrator" designated-run-as="true" class=" org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> <principal name="root" class=" org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> </role> </role-mappings> ...
Best regards, Frank
---------- Forwarded message ---------- From: st...@entimo.de To: us...@geronimo.apache.org Date: Mon, 7 Aug 2006 10:50:17 +0200 (CEST) Subject: Role-based security question Hallo Geronimo users,
I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me. I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:
<web-app> ... <servlet> <servlet-name>SecuredServlet</servlet-name> <servlet-class>test.SecuredServlet </servlet-class> <load-on-startup>1</load-on-startup> </servlet> ... <servlet-mapping> <servlet-name>SecureServlet</servlet-name> <url-pattern>/secure/*</url-pattern> </servlet-mapping> ... <security-constraint> <web-resource-collection> <web-resource-name>AdministratorFunctions</web-resource-name>
<url-pattern>/secure/start</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint>
<login-config> <auth-method>FORM</auth-method> <realm-name>MySecurityRealm</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config>
<security-role> <role-name>administrator</role-name> </security-role> </web-app>
Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).
The users file contains the following users: secUser=secret unsecUser=secret2
The groups file contains the following group mappings: administrator=secUser application=unsecUser
For the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.
When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'. Hopefully, there is an easy solution.
Best regards,
Frank