You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "Sylvain RIBEYRON (JIRA)" <je...@portals.apache.org> on 2006/10/10 10:45:20 UTC

[jira] Commented: (JS2-526) JBoss web.xml entry for security-constraint login/redirector wont work under Tomcat

    [ http://issues.apache.org/jira/browse/JS2-526?page=comments#action_12441095 ] 
            
Sylvain RIBEYRON commented on JS2-526:
--------------------------------------

Hi all.

I have the same issue.

I think the problem is in JBossLoginModule (the Jaas plugin for jboss). If you look at its source, you will see it has not changed since version 2.0, whereas DefaultLoginModule has changed.

In fact, in 2.1, it's up to LoginModule to add portal-user role membership in user's principals. It is done in DefaultLoginModule, but not in JBossLoginModule.

Try to replace JBossLoginModule commitPrincipals method by the following:

    protected void commitPrincipals(Subject subject, User user)
    {
        // add UserPrincipal to subject
        subject.getPrincipals().add(getUserPrincipal(user));
        JBossGroup roles = new JBossGroup("Roles", getUserRoles(user));
        roles.addMember(new RolePrincipalImpl(portalUserRole));
        subject.getPrincipals().add(roles);
    }

This adds portal-user role membership to all authenticated users, and this should resolve our problem.


> JBoss web.xml entry for security-constraint login/redirector wont work under Tomcat
> -----------------------------------------------------------------------------------
>
>                 Key: JS2-526
>                 URL: http://issues.apache.org/jira/browse/JS2-526
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1-dev
>         Environment: Windows XP SP2, Tomcat 5.5.16, JBoss 4.0.4-CR2, Jetspeed-2.1-dev (sources)
>            Reporter: Bruno Marti
>            Priority: Minor
>
> I've built my own portal from the 2.1-dev sources.
> The installed portal works on Tomcat 5.5.16, but not on JBoss 4.0.4.
> Under JBoss I am receiving a HTTP-error 403 after the log-in submit.
> (seems like the same problem in Issue JS2-496: http://issues.apache.org/jira/browse/JS2-496)
> If I'm manually adding the following role-name in portal's web.xml, it works fine, on both tomcat and jboss servers:
>   <role-name>*</role-name>
> here the new full constraint entry:
> ...
> 	<!-- Protect LogInRedirectory.jsp.  This will require a login when called -->
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>Login</web-resource-name>
> 			<url-pattern>/login/redirector</url-pattern>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<!-- the required portal user role name defined in: -->
> 			<!-- /WEB-INF/assembly/security-atn.xml             -->
> 			<role-name>portal-user</role-name>
> 			<role-name>*</role-name>
> 		</auth-constraint>
> 	</security-constraint>
> ...
> Is this quite correct or do I have a security problem now?
> Or is there a bug in JBoss?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org