You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2007/08/01 01:11:54 UTC

[jira] Commented: (GERONIMO-3357) role is ignored in web.xml

    [ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12516820 ] 

David Jencks commented on GERONIMO-3357:
----------------------------------------

OK, with your app I see the problem, at least in jetty.  The difference between our apps is that yours uses the default subject in the web app, whereas mine uses an authenticated subject in the web app.

> <run-as> role is ignored in web.xml
> -----------------------------------
>
>                 Key: GERONIMO-3357
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3357
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0-M7
>         Environment: Windows XP SP2
>            Reporter: Aman Nanner
>            Assignee: David Jencks
>            Priority: Critical
>             Fix For: 2.0
>
>         Attachments: testing.ear.zip
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored.  For example, consider the following web.xml fragment:
> {code:xml}
>    <servlet>
>       <servlet-name>ExceptionPage</servlet-name>
>       <jsp-file>/error/Exception.jsp</jsp-file>
>       <run-as>
>          <role-name>TESTSYSTEM</role-name>
>       </run-as>
>    </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP.  I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
>    <security:security>
>          <security:credential-store>
>              <security:pattern>
>                  <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
>              </security:pattern>
>          </security:credential-store>
>       <security:role-mappings>
>          <security:role role-name="TESTSYSTEM">
>             <security:run-as-subject>
>              <security:realm>TestingRealm</security:realm>
>              <security:id>test-system</security:id>
>             </security:run-as-subject>
>             <security:realm realm-name="TestingRealm">
>                <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
>             </security:realm>
>          </security:role>
>       </security:role-mappings>
>    </security:security>
>    <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>       <sys:attribute name="realmName">TestingRealm</sys:attribute>
>       <sys:reference name="ServerInfo">
>          <sys:name>ServerInfo</sys:name>
>       </sys:reference>
>       <sys:xml-reference name="LoginModuleConfiguration">
>          <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>             <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>                <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
>                <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
>                <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
>                <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
>                <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
>             </log:login-module>
>          </log:login-config>
>       </sys:xml-reference>
>    </sys:gbean>
>    <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>       <xml-attribute name="credentialStore">
>          <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
>             <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
>             <realm name="TestingRealm">
>                <subject>
>                    <id>test-system</id>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
>                       <value>ananner</value>
>                    </credential>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
>                       <value>password</value>
>                    </credential>
>                </subject>
>             </realm>
>          </credential-store>
>       </xml-attribute>
>    </sys:gbean>
> {code}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.