You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2006/11/16 00:21:37 UTC
[jira] Commented: (GERONIMO-2564) Declaration of an anonymous role
in geronimo-web.xml
[ http://issues.apache.org/jira/browse/GERONIMO-2564?page=comments#action_12450230 ]
David Jencks commented on GERONIMO-2564:
----------------------------------------
I assume since you assigned this to 1.1.1 you are trying to use g. 1.1.1. In this case I think that geronimo is lacking sufficient validation for security configuration: your config doesn't look much like what the schema specifies. I don't see exactly what the problem is, but sometimes including invalid elements in an xml document can confuse xmlbeans into not finding the valid elements. Can you try making your security config conform to the schema and see if that helps and if not attach the modified config? The schema should be in schemas/geronimo-security-1.1.xsd.
I'm working on improving the validation.
> Declaration of an anonymous role in geronimo-web.xml
> ----------------------------------------------------
>
> Key: GERONIMO-2564
> URL: http://issues.apache.org/jira/browse/GERONIMO-2564
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.1.1
> Environment: Windows XP / Novell LDAP
> Reporter: Jérôme GODARD
> Priority: Critical
>
> I want to automate the migration of a JSF WAS6 application to Geronimo.
> I try to defined a anonymous role like the J2EE role "EveryBody" in Websphere Application Server 6.
> My policy is to secure all the application (all jsp files of my web folder) except the jsp in the subfolders "public" and "login" (since defining a security constraint on /* doesn't work, I declare a security rules on *.faces).
> To do that, I first defined my security constraints in web.xml :
> I use 4 roles : User, Support, Admin and Everybody
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>AllURI</web-resource-name>
> <description>Represent all the application URI</description>
> <url-pattern>*.faces</url-pattern>
> <url-pattern>/faces/*</url-pattern>
> <url-pattern>*.jsp</url-pattern>
> <url-pattern>*.jsf</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description />
> <role-name>User</role-name>
> <role-name>Admin</role-name>
> <role-name>Support</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Login</web-resource-name>
> <description>The login page resource</description>
> <url-pattern>/login/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description />
> <role-name>EveryBody</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <display-name>Constraints PUBLIC</display-name>
> <web-resource-collection>
> <web-resource-name>Theme Resources</web-resource-name>
> <description />
> <url-pattern>/templates/*</url-pattern>
> <url-pattern>/index.jsp</url-pattern>
> <url-pattern>/jscookmenu/*</url-pattern>
> <url-pattern>/</url-pattern>
> <http-method>GET</http-method>
> </web-resource-collection>
> <web-resource-collection>
> <web-resource-name>Public Area</web-resource-name>
> <description>allows acces under /public/</description>
> <url-pattern>/public/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description />
> <role-name>EveryBody</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <!-- Define the Login Configuration for the service provider -->
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/login/login.jsp</form-login-page>
> <form-error-page>/login/loginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
> When I deploy it on geronimo, I use the following geronimo-web.xml file :
> <security-realm-name>app-dev-ldap-realm</security-realm-name>
> <sec:security>
> <sec:default-principal realm-name="app-dev-ldap-realm">
> <sec:principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
> </sec:default-principal>
> <sec:role-mappings>
>
> <sec:role role-name="User">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-USER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" designated-run-as="true" />
> </sec:realm>
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-MANAGER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
> </sec:realm>
> </sec:role>
> <sec:role role-name="Support">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-MANAGER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
> </sec:realm>
> </sec:role>
> <sec:role role-name="Admin">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="GP-ZONE3-AXE-MANAGER"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
> </sec:realm>
> </sec:role>
> <sec:role role-name="EveryBody">
> <sec:realm realm-name="app-dev-ldap-realm">
> <sec:principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
> </sec:realm>
> </sec:role>
> </sec:role-mappings>
> </sec:security>
> I declare an anonymous user that I map to the EveryBody J2EE role (declared in web.xml). But when I deploy, login ressources and public pages still not be accessible by Everybody (ie : unauthentified user).
> It seems that the <default-principal/> rule do not affect the anonymous role to an unauthentified user like it should do.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira