You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mike La Budde <mi...@irista.com> on 2000/12/13 18:18:05 UTC
role-based security how to?
I'm a bit at a loss as to how I'm supposed to configure the role-based
security in my webapp's web.xml file.
Consider the following scenario for my webapp:
area roles
/pages/customers/* sales,admin
/pages/orders/* sales,clerks,admin
/pages/products/* clerks,admin
It's easy to configure multiple web-resource-collections for this, e.g.
<web-resource-collection>
<web-resource-name>customers</web-resource-name>
<url-pattern>/pages/customers/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>orders</web-resource-name>
<url-pattern>/pages/orders/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>products</web-resource-name>
<url-pattern>/pages/products/*</url-pattern>
</web-resource-collection>
The following:
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
seems to allow anyone with the role of admin to access all of the specified
web-resource-collections (which is fine in this example);
But how do I configure the other roles (sales & clerks) to only have access
to a specified web-resource-collection??
Any help would be greatly appreciated!
TIA,
Mike
Re: role-based security how to?
Posted by Thom Park <tp...@borland.com>.
..But use of <security-role> /is/ broken in tomcat 3.2
e.g.
consider the following web.xml fragments:
<!-- list of web app level roles -->
<security-role>
<role-name>fred</role-name>
</security-role>
and in the servlet definition we have
<!-- list of aliases for roles that the servlet will use ->
<security-role-ref>
<role-name>alias_for_fred</role-name>
<role-link>fred</role-link>
</security-role-ref>
the following servlet code will fail:
...
if ( req.isUserInRole("alias_for_fred") ) {
out.println("user validated for role") ;
}
else {
out.println("user not validated for role");
}
isUserInRole() only works if the role passed is identical to that defined in the
tomcat.users file.
This breaks the Servlet 2.2 specification on role aliasing - if there's a role-ref
set up, then isUserInRole should
respect this additional mapping.
-Thom
Mike La Budde wrote:
> Thanks Craig!
>
> I had tried defining several security-constraints like this:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>customers</web-resource-name>
> <url-pattern>/pages/customers/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>sales</role-name>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>orders</web-resource-name>
> <url-pattern>/pages/orders/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>sales</role-name>
> <role-name>clerks</role-name>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>products</web-resource-name>
> <url-pattern>/pages/products/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>clerks</role-name>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> However, it blew up Tomcat and closed my console window! (I'm running under
> Win NT 4.0). So I just figured that I was specifying these wrong.
>
> Turns out the above is correct and I had introduced a different problem,
> which caused it to blow up....
>
> Mike
>
> At 12/13/2000 11:37 AM -0800, you wrote:
> >Mike La Budde wrote:
> >
> > > I'm a bit at a loss as to how I'm supposed to configure the role-based
> > > security in my webapp's web.xml file.
> > >
> > > Consider the following scenario for my webapp:
> > >
> > > area roles
> > > /pages/customers/* sales,admin
> > > /pages/orders/* sales,clerks,admin
> > > /pages/products/* clerks,admin
> > >
> >
> >One thing to remember is that you can list more than one <role-name> inside an
> ><auth-constraint>. Therefore, I would suggst making a separate security
> >constraint for each different set of roles. For example, the entry for
> >"/pages/products/*" would look like this:
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Product Info</web-resource-name>
> > <url-pattern>/pages/products/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>clerks</role-name>
> > <role-name>admin</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> >You would have a similar constraint for the other two protected areas.
> >
> >(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x
> >does
> >not check for this, but you will get bit if you move to a different servlet
> >container later.)
> >
> >Craig McClanahan
Re: role-based security how to?
Posted by Mike La Budde <mi...@irista.com>.
Thanks Craig!
I had tried defining several security-constraints like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>customers</web-resource-name>
<url-pattern>/pages/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>orders</web-resource-name>
<url-pattern>/pages/orders/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
<role-name>clerks</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>products</web-resource-name>
<url-pattern>/pages/products/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>clerks</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
However, it blew up Tomcat and closed my console window! (I'm running under
Win NT 4.0). So I just figured that I was specifying these wrong.
Turns out the above is correct and I had introduced a different problem,
which caused it to blow up....
Mike
At 12/13/2000 11:37 AM -0800, you wrote:
>Mike La Budde wrote:
>
> > I'm a bit at a loss as to how I'm supposed to configure the role-based
> > security in my webapp's web.xml file.
> >
> > Consider the following scenario for my webapp:
> >
> > area roles
> > /pages/customers/* sales,admin
> > /pages/orders/* sales,clerks,admin
> > /pages/products/* clerks,admin
> >
>
>One thing to remember is that you can list more than one <role-name> inside an
><auth-constraint>. Therefore, I would suggst making a separate security
>constraint for each different set of roles. For example, the entry for
>"/pages/products/*" would look like this:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Product Info</web-resource-name>
> <url-pattern>/pages/products/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>clerks</role-name>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
>You would have a similar constraint for the other two protected areas.
>
>(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x
>does
>not check for this, but you will get bit if you move to a different servlet
>container later.)
>
>Craig McClanahan
Re: role-based security how to?
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Mike La Budde wrote:
> I'm a bit at a loss as to how I'm supposed to configure the role-based
> security in my webapp's web.xml file.
>
> Consider the following scenario for my webapp:
>
> area roles
> /pages/customers/* sales,admin
> /pages/orders/* sales,clerks,admin
> /pages/products/* clerks,admin
>
One thing to remember is that you can list more than one <role-name> inside an
<auth-constraint>. Therefore, I would suggst making a separate security
constraint for each different set of roles. For example, the entry for
"/pages/products/*" would look like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Product Info</web-resource-name>
<url-pattern>/pages/products/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>clerks</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
You would have a similar constraint for the other two protected areas.
(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x does
not check for this, but you will get bit if you move to a different servlet
container later.)
Craig McClanahan