isUserInRole and DefaultLoginModule

[David Pankros <dp...@miragy.com>]

I ran into this strange behavior and I�m wondering if anyone else has had
the same issue or knows of a fix/workaround.

I am running Jetspeed 2.0 on JBoss 4.0.2.  (It also occurs in JBoss AS
4.0.4.GA)  

I have a portlet that, from a JSP, checks a user�s role using
HttpServletRequest.isUserInRole( role ). It actually does this in a jsp tag,
but that shouldn�t matter. (see code, below)

The portlet works fine when using JBoss�s UsersRolesLoginModule.  When I
switch over to using the Jetspeed 2 DefaultLoginModule, the portlets can no
longer see the roles from JSP.  (To verify I logged in as admin and used the
RoleSecurityTest portlet and it confirms my findings.)  I can, however,
login and as long as I never check the principal�s roles everything else
/seems/ OK.  It also correctly resolves the user principal, regardless of
the login module chosen. (see XML configuration snippets, below)

Any suggestions would be appreciated.

Dave


----- working login-config.xml snippet --------

    <application-policy name="Jetspeed">
       <authentication>
          <login-module code =
"org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
             <module-option
name="usersProperties">js2-users.properties</module-option>
             <module-option
name="rolesProperties">js2-roles.properties</module-option>
          <module-option
name="unauthenticatedIdentity">nobody</module-option>
          </login-module>
       </authentication>
    </application-policy>

------ end of the working login-config.xml snippet ----------

----- not working login-config.xml snippet --------

    <application-policy name="Jetspeed">
      <authentication>
        <login-module
code="org.apache.jetspeed.security.impl.DefaultLoginModule" flag="required">
        </login-module>
      </authentication>
    </application-policy>

------ end of the not working login-config.xml snippet ----------

------- code called from the JSP  ---------

    HttpServletRequest r = (HttpServletRequest) request;
    boolean b = r.isUserInRole(role);

    if (log.isDebugEnabled())
      log.debug("Using " + r + " user " + r.getUserPrincipal() + " is "
          + ((b) ? "" : "not ") + "in the role " + role + ".");

--------- end of the code called from the JSP ---------


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.1/389 - Release Date: 7/14/2006
 

Re: isUserInRole and DefaultLoginModule

[David Sean Taylor <da...@bluesunrise.com>]

David Pankros wrote:
> Well, I discovered the problem after a day's (daze?) worth of searching
> through the security documentation and javadocs.  I'm replying to the list
> in the hope that if anyone else has the same issue that they can resolve it
> with a search, rather than brute force.
> 
> It seems Ate wrote a special login module for JBoss with resolves the
> issues.  Thus, the following change to login-config.xml fixes the issue:
> 
>     <application-policy name="Jetspeed">
>       <authentication>
>         <login-module
> code="org.apache.jetspeed.security.impl.ext.JBossLoginModule"
> flag="required">
>         </login-module>
>       </authentication>
>     </application-policy>
> 
> Dave
> 
Ate is on vacation or Im sure he would have jumped in here
Sorry I need to pay more attention to JBoss issues, but I don't use it
Thanks for sharing that

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

RE: isUserInRole and DefaultLoginModule

[David Pankros <dp...@miragy.com>]

Well, I discovered the problem after a day's (daze?) worth of searching
through the security documentation and javadocs.  I'm replying to the list
in the hope that if anyone else has the same issue that they can resolve it
with a search, rather than brute force.

It seems Ate wrote a special login module for JBoss with resolves the
issues.  Thus, the following change to login-config.xml fixes the issue:

    <application-policy name="Jetspeed">
      <authentication>
        <login-module
code="org.apache.jetspeed.security.impl.ext.JBossLoginModule"
flag="required">
        </login-module>
      </authentication>
    </application-policy>

Dave

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.1/390 - Release Date: 7/17/2006
 


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org