You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Jérôme GODARD (JIRA)" <ji...@apache.org> on 2006/11/16 17:01:40 UTC
[jira] Updated: (GERONIMO-2564) Declaration of an anonymous role in
geronimo-web.xml
[ http://issues.apache.org/jira/browse/GERONIMO-2564?page=all ]
Jérôme GODARD updated GERONIMO-2564:
------------------------------------
Attachment: geronimo-web.xml
geronimo-web.xml
> Declaration of an anonymous role in geronimo-web.xml
> ----------------------------------------------------
>
> Key: GERONIMO-2564
> URL: http://issues.apache.org/jira/browse/GERONIMO-2564
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.1.1
> Environment: Windows XP / Novell LDAP
> Reporter: Jérôme GODARD
> Priority: Critical
> Attachments: geronimo-web.xml
>
>
> I want to automate the migration of a JSF WAS6 application to Geronimo.
> I try to defined a anonymous role like the J2EE role "EveryBody" in Websphere Application Server 6.
> My policy is to secure all the application (all jsp files of my web folder) except the jsp in the subfolders "public" and "login" (since defining a security constraint on /* doesn't work, I declare a security rules on *.faces).
> To do that, I first defined my security constraints in web.xml :
> I use 4 roles : User, Support, Admin and Everybody
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>AllURI</web-resource-name>
> <description>Represent all the application URI</description>
> <url-pattern>*.faces</url-pattern>
> <url-pattern>/faces/*</url-pattern>
> <url-pattern>*.jsp</url-pattern>
> <url-pattern>*.jsf</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description />
> <role-name>User</role-name>
> <role-name>Admin</role-name>
> <role-name>Support</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Login</web-resource-name>
> <description>The login page resource</description>
> <url-pattern>/login/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description />
> <role-name>EveryBody</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <display-name>Constraints PUBLIC</display-name>
> <web-resource-collection>
> <web-resource-name>Theme Resources</web-resource-name>
> <description />
> <url-pattern>/templates/*</url-pattern>
> <url-pattern>/index.jsp</url-pattern>
> <url-pattern>/jscookmenu/*</url-pattern>
> <url-pattern>/</url-pattern>
> <http-method>GET</http-method>
> </web-resource-collection>
> <web-resource-collection>
> <web-resource-name>Public Area</web-resource-name>
> <description>allows acces under /public/</description>
> <url-pattern>/public/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description />
> <role-name>EveryBody</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <!-- Define the Login Configuration for the service provider -->
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/login/login.jsp</form-login-page>
> <form-error-page>/login/loginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
> When I deploy it on geronimo, I use the following geronimo-web.xml file :
> <security-realm-name>app-dev-ldap-realm</security-realm-name>
> <sec:security>
> <sec:default-principal realm-name="app-dev-ldap-realm">
> <sec:principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
> </sec:default-principal>
> <sec:role-mappings>
>
> <sec:role role-name="User">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-USER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true" />
> </sec:realm>
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-MANAGER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
> </sec:realm>
> </sec:role>
> <sec:role role-name="Support">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-MANAGER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
> </sec:realm>
> </sec:role>
> <sec:role role-name="Admin">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-MANAGER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
> </sec:realm>
> </sec:role>
> <sec:role role-name="EveryBody">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
> </sec:realm>
> </sec:role>
> </sec:role-mappings>
> </sec:security>
> I declare an anonymous user that I map to the EveryBody J2EE role (declared in web.xml). But when I deploy, login ressources and public pages still not be accessible by Everybody (ie : unauthentified user).
> It seems that the <default-principal/> rule do not affect the anonymous role to an unauthentified user like it should do.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira