You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2007/08/01 03:04:52 UTC

[jira] Updated: (GERONIMO-3357) role is ignored in web.xml

     [ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Jencks updated GERONIMO-3357:
-----------------------------------

    Attachment: testing2.ear

I take it back, geronimo is working fine.  There were a lot of configuration problems in your app:

1. no servlet mapping for your jsp, so it was getting served by the default jsp servlet, which doesn't have a run-as role.  I added a mapping to test, so localhost:8080/testing/test gets the jsp.  This illustrates why the default jsp servlet may be a bad idea.
2. wrong principal in the role-mapping.  MXSYSTEM is not produced by geronimo-adming realm.  I changed it to admin.

Also the schemas have changed a bit, I updated to use jetty and the new configuration-store-ref element.

I might have updated to an uncommitted schema namespace */jetty-2.0, in which case you can wait until I commit or move it back to 1.2.

> <run-as> role is ignored in web.xml
> -----------------------------------
>
>                 Key: GERONIMO-3357
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3357
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0-M7
>         Environment: Windows XP SP2
>            Reporter: Aman Nanner
>            Assignee: David Jencks
>            Priority: Critical
>             Fix For: 2.0
>
>         Attachments: testing.ear.zip, testing2.ear
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored.  For example, consider the following web.xml fragment:
> {code:xml}
>    <servlet>
>       <servlet-name>ExceptionPage</servlet-name>
>       <jsp-file>/error/Exception.jsp</jsp-file>
>       <run-as>
>          <role-name>TESTSYSTEM</role-name>
>       </run-as>
>    </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP.  I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
>    <security:security>
>          <security:credential-store>
>              <security:pattern>
>                  <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
>              </security:pattern>
>          </security:credential-store>
>       <security:role-mappings>
>          <security:role role-name="TESTSYSTEM">
>             <security:run-as-subject>
>              <security:realm>TestingRealm</security:realm>
>              <security:id>test-system</security:id>
>             </security:run-as-subject>
>             <security:realm realm-name="TestingRealm">
>                <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
>             </security:realm>
>          </security:role>
>       </security:role-mappings>
>    </security:security>
>    <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>       <sys:attribute name="realmName">TestingRealm</sys:attribute>
>       <sys:reference name="ServerInfo">
>          <sys:name>ServerInfo</sys:name>
>       </sys:reference>
>       <sys:xml-reference name="LoginModuleConfiguration">
>          <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>             <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>                <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
>                <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
>                <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
>                <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
>                <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
>             </log:login-module>
>          </log:login-config>
>       </sys:xml-reference>
>    </sys:gbean>
>    <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>       <xml-attribute name="credentialStore">
>          <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
>             <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
>             <realm name="TestingRealm">
>                <subject>
>                    <id>test-system</id>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
>                       <value>ananner</value>
>                    </credential>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
>                       <value>password</value>
>                    </credential>
>                </subject>
>             </realm>
>          </credential-store>
>       </xml-attribute>
>    </sys:gbean>
> {code}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.