You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2007/08/01 03:04:53 UTC
[jira] Closed: (GERONIMO-3357) role is ignored in web.xml
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-3357.
----------------------------------
Resolution: Cannot Reproduce
Example supplied was misconfigured and when corrected worked fine.
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
> Attachments: testing.ear.zip, testing2.ear
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.