You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aman Nanner (JIRA)" <ji...@apache.org> on 2007/07/26 23:10:04 UTC
[jira] Created: (GERONIMO-3357) role is ignored in web.xml
<run-as> role is ignored in web.xml
-----------------------------------
Key: GERONIMO-3357
URL: https://issues.apache.org/jira/browse/GERONIMO-3357
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security
Affects Versions: 2.0-M7
Environment: Windows XP SP2
Reporter: Aman Nanner
Priority: Critical
Fix For: 2.0
It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
{code:xml}
<servlet>
<servlet-name>ExceptionPage</servlet-name>
<jsp-file>/error/Exception.jsp</jsp-file>
<run-as>
<role-name>TESTSYSTEM</role-name>
</run-as>
</servlet>
{code}
The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
Below is the fragment of my geronimo-application.xml where I define the
security policy:
{code:xml}
<security:security>
<security:credential-store>
<security:pattern>
<sys:name
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
</security:pattern>
</security:credential-store>
<security:role-mappings>
<security:role role-name="TESTSYSTEM">
<security:run-as-subject>
<security:realm>TestingRealm</security:realm>
<security:id>test-system</security:id>
</security:run-as-subject>
<security:realm realm-name="TestingRealm">
<security:principal
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="TESTSYSTEM" />
</security:realm>
</security:role>
</security:role-mappings>
</security:security>
<sys:gbean name="TestingRealm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<sys:attribute name="realmName">TestingRealm</sys:attribute>
<sys:reference name="ServerInfo">
<sys:name>ServerInfo</sys:name>
</sys:reference>
<sys:xml-reference name="LoginModuleConfiguration">
<log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="REQUIRED"
wrap-principals="false">
<log:login-domain-name>TestingRealm</log:login-domain-name>
<log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
<log:option name="userSelect">SELECT username, password FROM
utl_user WHERE username=?</log:option>
<log:option
name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
<log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
role_name FROM dual</log:option>
<log:option
name="dataSourceName">com/testing/jdbc/TestDS</log:option>
</log:login-module>
</log:login-config>
</sys:xml-reference>
</sys:gbean>
<sys:gbean name="MyCredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
<xml-attribute name="credentialStore">
<credential-store
xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
<!-- uncomment this and the default subject in the jettty
console plan gives you admin console permissions -->
<realm name="TestingRealm">
<subject>
<id>test-system</id>
<credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
<value>ananner</value>
</credential>
<credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
<value>password</value>
</credential>
</subject>
</realm>
</credential-store>
</xml-attribute>
</sys:gbean>
{code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (GERONIMO-3357) role is ignored in
web.xml
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks reassigned GERONIMO-3357:
--------------------------------------
Assignee: David Jencks
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-3357) role is ignored in web.xml
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-3357.
----------------------------------
Resolution: Cannot Reproduce
I wrote a test app that appears to work correctly. It's in testsuite/enterprise-testsuite/sec-tests. To run it you appear to need to first run
mvn -Pchild
then
mvn
You need up to date openejb (I haven't pushed this yet) and geronimo trunk. I'm working on porting the app back to 2.0.
I wonder if you have correctly interpreted the meaning of run-as? it does not affect the user of the component it is applied to, but rather the user of all the components it calls (at least ejbs and rars with container managed security).
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3357) role is ignored in
web.xml
Posted by "Aman Nanner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12516991 ]
Aman Nanner commented on GERONIMO-3357:
---------------------------------------
You're right! The absence of the servlet-mapping was the cause of the issue. I made this change in my main application, and everything is working fine now.
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
> Attachments: testing.ear.zip, testing2.ear
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3357) role is ignored in
web.xml
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12516820 ]
David Jencks commented on GERONIMO-3357:
----------------------------------------
OK, with your app I see the problem, at least in jetty. The difference between our apps is that yours uses the default subject in the web app, whereas mine uses an authenticated subject in the web app.
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
> Attachments: testing.ear.zip
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-3357) role is ignored in web.xml
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks updated GERONIMO-3357:
-----------------------------------
Attachment: testing2.ear
I take it back, geronimo is working fine. There were a lot of configuration problems in your app:
1. no servlet mapping for your jsp, so it was getting served by the default jsp servlet, which doesn't have a run-as role. I added a mapping to test, so localhost:8080/testing/test gets the jsp. This illustrates why the default jsp servlet may be a bad idea.
2. wrong principal in the role-mapping. MXSYSTEM is not produced by geronimo-adming realm. I changed it to admin.
Also the schemas have changed a bit, I updated to use jetty and the new configuration-store-ref element.
I might have updated to an uncommitted schema namespace */jetty-2.0, in which case you can wait until I commit or move it back to 1.2.
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
> Attachments: testing.ear.zip, testing2.ear
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (GERONIMO-3357) role is ignored in
web.xml
Posted by "Aman Nanner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aman Nanner reopened GERONIMO-3357:
-----------------------------------
I will attach a test case which demonstrates that does not work.
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-3357) role is ignored in web.xml
Posted by "Aman Nanner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aman Nanner updated GERONIMO-3357:
----------------------------------
Attachment: testing.ear.zip
This EAR file demonstrates the test case.
Access the page: http://localhost/testing.
The index.jsp file is defined with a run-as role so that it can make a restricted EJB call.
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
> Attachments: testing.ear.zip
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-3357) role is ignored in web.xml
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-3357.
----------------------------------
Resolution: Cannot Reproduce
Example supplied was misconfigured and when corrected worked fine.
> <run-as> role is ignored in web.xml
> -----------------------------------
>
> Key: GERONIMO-3357
> URL: https://issues.apache.org/jira/browse/GERONIMO-3357
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0-M7
> Environment: Windows XP SP2
> Reporter: Aman Nanner
> Assignee: David Jencks
> Priority: Critical
> Fix For: 2.0
>
> Attachments: testing.ear.zip, testing2.ear
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored. For example, consider the following web.xml fragment:
> {code:xml}
> <servlet>
> <servlet-name>ExceptionPage</servlet-name>
> <jsp-file>/error/Exception.jsp</jsp-file>
> <run-as>
> <role-name>TESTSYSTEM</role-name>
> </run-as>
> </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP. I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
> <security:security>
> <security:credential-store>
> <security:pattern>
> <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
> </security:pattern>
> </security:credential-store>
> <security:role-mappings>
> <security:role role-name="TESTSYSTEM">
> <security:run-as-subject>
> <security:realm>TestingRealm</security:realm>
> <security:id>test-system</security:id>
> </security:run-as-subject>
> <security:realm realm-name="TestingRealm">
> <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
> </security:realm>
> </security:role>
> </security:role-mappings>
> </security:security>
> <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <sys:attribute name="realmName">TestingRealm</sys:attribute>
> <sys:reference name="ServerInfo">
> <sys:name>ServerInfo</sys:name>
> </sys:reference>
> <sys:xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
> <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
> <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
> <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
> </log:login-module>
> </log:login-config>
> </sys:xml-reference>
> </sys:gbean>
> <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> <xml-attribute name="credentialStore">
> <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
> <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
> <realm name="TestingRealm">
> <subject>
> <id>test-system</id>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
> <value>ananner</value>
> </credential>
> <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
> <value>password</value>
> </credential>
> </subject>
> </realm>
> </credential-store>
> </xml-attribute>
> </sys:gbean>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.