Re: Problem deploying web applications that have security-constraints in web.xml but use no authentication and security roles

[Vamsavardhana Reddy]

On 8/6/06, David Jencks <[EMAIL PROTECTED]> wrote:

On Aug 5, 2006, at 11:09 PM, Vamsavardhana Reddy wrote:

> Hi,
>
> I have a web application that has the following security-constraint
> in the web.xml
>
>    <security-constraint>
>      <web-resource-collection>
>        <web-resource-name>Secure</web-resource-name>
>        <url-pattern>/secure/AuthorizationServlet</url-pattern>
>      </web-resource-collection>
>      <user-data-constraint>
>        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>      </user-data-constraint>
>    </security-constraint>
>
> My application does not use any security roles and does not
> authenticate against any security realm.  All this security-
> constraint does is that the requests are forwarded to HTTPS port
> (enabled for ClientAuth) and the application uses Client
> Certifcates for authorization.  In G1.0, I could deploy this
> application without using a geronimo-web.xml and the application
> runs fine.
>
> G1.1 does not allow me to deploy this application without a
> deployment plan.  Even with a deployment plan, G1.1 comes back with
> errors that there are no security elements in the deployment plan.
> The following messages are displayed in the console.
>
> Deployer operation failed: web.xml for web app tutorial/cert-auth-
> sample/1.0/war
>  includes security elements but Geronimo deployment plan is not
> provided or does
>  not contain <security-realm-name> element necessary to configure
> security accor
> dingly.
> org.apache.geronimo.common.DeploymentException: web.xml for web app
> tutorial/cer
> t-auth-sample/1.0/war includes security elements but Geronimo
> deployment plan is
>  not provided or does not contain <security-realm-name> element
> necessary to con
> figure security accordingly.
>
> Clearly, I can not put any security-realm-name and role-mapping
> elements in geronimo-web.xml .  If I put a security-realm-name tag
> and/or role-mappings to get past the deployment, access to the
> resource will be denied since I have not put any auth-constraint
> tags web.xml

Did you check this?  I'd expect that everything would work as
expected if you supply a security-realm-name and that you will be
able to access pages without logging in.

Specifying a security-realm-name and no security tag gave the following error:

Deployer operation failed: You have specified a <security-realm-name> for the we
bapp tutorial/cert-auth-sample/1.0/war?J2EEApplication=null,j2eeType=WebModule,n
ame=tutorial/cert-auth-sample/1.0/war but no <security> configuration (role mapp
ing) is supplied in the Geronimo plan for the web application (or the Geronimo p
lan for the EAR if the web app is in an EAR)

Specifying a security-realm-name and a security tag with just a default-principal entry did get the app deployed successfully.  And the app did work as expected.
 

>
> Any suggestions on how to get past this problem?  Or is this a bug
> in G1.1?

I have to regard it as a bug in G1.1, although if supplying a
security-realm-name works its a fairly minor bug.  I'm very curious
about whether G1.0 actually enforced the CONFIDENTIAL user-data-
constraint: my guess is that it did not.

I have used the app in question on G1.0 (or a derived product).  When a resource with CONFIDENTIAL user-data-constraint set is accessed over http, the server did redirect to an HTTPS port (with tomcat, this redirection is successful only if HTTPS is on port 443 and jetty had no problems redirecting to any port configured in the connector).

thanks
david jencks

>
> Thanks and regards,
> Vamsi