You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2007/07/29 19:54:52 UTC

[jira] Closed: (GERONIMO-3357) role is ignored in web.xml

     [ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Jencks closed GERONIMO-3357.
----------------------------------

    Resolution: Cannot Reproduce

I wrote a test app that appears to work correctly.  It's in testsuite/enterprise-testsuite/sec-tests. To run it you appear to need to first run

mvn -Pchild
then
mvn 

You need up to date openejb (I haven't pushed this yet) and geronimo trunk.  I'm working on porting the app back to 2.0.

I wonder if you have correctly interpreted the meaning of run-as?  it does not affect the user of the component it is applied to, but rather the user of all the components it calls (at least ejbs and rars with container managed security).

> <run-as> role is ignored in web.xml
> -----------------------------------
>
>                 Key: GERONIMO-3357
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3357
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0-M7
>         Environment: Windows XP SP2
>            Reporter: Aman Nanner
>            Assignee: David Jencks
>            Priority: Critical
>             Fix For: 2.0
>
>
> It seems that any <run-as> roles defined in a web.xml of a web application are ignored.  For example, consider the following web.xml fragment:
> {code:xml}
>    <servlet>
>       <servlet-name>ExceptionPage</servlet-name>
>       <jsp-file>/error/Exception.jsp</jsp-file>
>       <run-as>
>          <role-name>TESTSYSTEM</role-name>
>       </run-as>
>    </servlet>
> {code}
> The JSP is never run as the TESTSYSTEM role in this case, and thus access to method-restricted EJBs fails from the JSP.  I cannot see in the
> TomcatGeronimoRealm where this "run-as" role is being set, or if it is accessing the credential store to get the run-as subject.
> Below is the fragment of my geronimo-application.xml where I define the
> security policy:
> {code:xml}
>    <security:security>
>          <security:credential-store>
>              <security:pattern>
>                  <sys:name
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name>
>              </security:pattern>
>          </security:credential-store>
>       <security:role-mappings>
>          <security:role role-name="TESTSYSTEM">
>             <security:run-as-subject>
>              <security:realm>TestingRealm</security:realm>
>              <security:id>test-system</security:id>
>             </security:run-as-subject>
>             <security:realm realm-name="TestingRealm">
>                <security:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="TESTSYSTEM" />
>             </security:realm>
>          </security:role>
>       </security:role-mappings>
>    </security:security>
>    <sys:gbean name="TestingRealm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>       <sys:attribute name="realmName">TestingRealm</sys:attribute>
>       <sys:reference name="ServerInfo">
>          <sys:name>ServerInfo</sys:name>
>       </sys:reference>
>       <sys:xml-reference name="LoginModuleConfiguration">
>          <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>             <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>                <log:login-domain-name>TestingRealm</log:login-domain-name>
> <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class>
>                <log:option name="userSelect">SELECT username, password FROM
> utl_user WHERE username=?</log:option>
>                <log:option
> name="dataSourceApplication">Mxi/Testing/1/ear</log:option>
>                <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as
> role_name FROM dual</log:option>
>                <log:option
> name="dataSourceName">com/testing/jdbc/TestDS</log:option>
>             </log:login-module>
>          </log:login-config>
>       </sys:xml-reference>
>    </sys:gbean>
>    <sys:gbean name="MyCredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>       <xml-attribute name="credentialStore">
>          <credential-store
> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
>             <!-- uncomment this and the default subject in the jettty
> console plan gives you admin console permissions -->
>             <realm name="TestingRealm">
>                <subject>
>                    <id>test-system</id>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
>                       <value>ananner</value>
>                    </credential>
>                    <credential>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
>                       <value>password</value>
>                    </credential>
>                </subject>
>             </realm>
>          </credential-store>
>       </xml-attribute>
>    </sys:gbean>
> {code}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.