[ http://issues.apache.org/jira/browse/GERONIMO-2564?page=comments#action_12450436 ] Jérôme GODARD commented on GERONIMO-2564: -----------------------------------------
Yes I use geronimo 1.1.1,to develop, my target is little-g 1.1.1. I provide in attachment my last version of geronimo-web.xml. It is conform to the schemas/geronimo-security-1.1.xsd, I used the eclipse plugin devtool (http://geronimo.apache.org/devtools.html) to create it. I thought that using the tag <default-principal>, I could map unauthentified users to a J2EE role (like the EveryBody role in Websphere). I saw in the following documentation : http://www.chariotsolutions.com/geronimo/geronimo-1.1/geronimo-html-one-page.html#figure-web-security-principal : "default-principal : Holds a principal which will be used any time an unauthenticated user accesses an unsecured page.... " I saw also that "default-role : This attribute is not applicable to web applications." But if I connect on an unsecured page without being connected, the method "isUserInRole()" in my jsp doesn't return anything. Thanks for your help. > Declaration of an anonymous role in geronimo-web.xml > ---------------------------------------------------- > > Key: GERONIMO-2564 > URL: http://issues.apache.org/jira/browse/GERONIMO-2564 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 1.1.1 > Environment: Windows XP / Novell LDAP > Reporter: Jérôme GODARD > Priority: Critical > > I want to automate the migration of a JSF WAS6 application to Geronimo. > I try to defined a anonymous role like the J2EE role "EveryBody" in Websphere > Application Server 6. > My policy is to secure all the application (all jsp files of my web folder) > except the jsp in the subfolders "public" and "login" (since defining a > security constraint on /* doesn't work, I declare a security rules on > *.faces). > To do that, I first defined my security constraints in web.xml : > I use 4 roles : User, Support, Admin and Everybody > <security-constraint> > <web-resource-collection> > <web-resource-name>AllURI</web-resource-name> > <description>Represent all the application > URI</description> > <url-pattern>*.faces</url-pattern> > <url-pattern>/faces/*</url-pattern> > <url-pattern>*.jsp</url-pattern> > <url-pattern>*.jsf</url-pattern> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>User</role-name> > <role-name>Admin</role-name> > <role-name>Support</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > <security-constraint> > <web-resource-collection> > <web-resource-name>Login</web-resource-name> > <description>The login page resource</description> > <url-pattern>/login/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>EveryBody</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > <security-constraint> > <display-name>Constraints PUBLIC</display-name> > <web-resource-collection> > <web-resource-name>Theme Resources</web-resource-name> > <description /> > <url-pattern>/templates/*</url-pattern> > <url-pattern>/index.jsp</url-pattern> > <url-pattern>/jscookmenu/*</url-pattern> > <url-pattern>/</url-pattern> > <http-method>GET</http-method> > </web-resource-collection> > <web-resource-collection> > <web-resource-name>Public Area</web-resource-name> > <description>allows acces under /public/</description> > <url-pattern>/public/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>EveryBody</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > <!-- Define the Login Configuration for the service provider --> > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/login/login.jsp</form-login-page> > <form-error-page>/login/loginError.jsp</form-error-page> > </form-login-config> > </login-config> > When I deploy it on geronimo, I use the following geronimo-web.xml file : > <security-realm-name>app-dev-ldap-realm</security-realm-name> > <sec:security> > <sec:default-principal realm-name="app-dev-ldap-realm"> > <sec:principal name="anonymous" > > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> > </sec:default-principal> > <sec:role-mappings> > > <sec:role role-name="User"> > <sec:realm realm-name="app-dev-ldap-realm"> > <sec:principal name="GP-ZONE3-AXE-USER" > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > designated-run-as="true" /> > </sec:realm> > <sec:realm realm-name="app-dev-ldap-realm"> > <sec:principal name="GP-ZONE3-AXE-MANAGER" > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> > </sec:realm> > </sec:role> > <sec:role role-name="Support"> > <sec:realm realm-name="app-dev-ldap-realm"> > <sec:principal name="GP-ZONE3-AXE-MANAGER" > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> > </sec:realm> > </sec:role> > <sec:role role-name="Admin"> > <sec:realm realm-name="app-dev-ldap-realm"> > <sec:principal name="GP-ZONE3-AXE-MANAGER" > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> > </sec:realm> > </sec:role> > <sec:role role-name="EveryBody"> > <sec:realm realm-name="app-dev-ldap-realm"> > <sec:principal name="anonymous" > > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> > </sec:realm> > </sec:role> > </sec:role-mappings> > </sec:security> > I declare an anonymous user that I map to the EveryBody J2EE role (declared > in web.xml). But when I deploy, login ressources and public pages still not > be accessible by Everybody (ie : unauthentified user). > It seems that the <default-principal/> rule do not affect the anonymous role > to an unauthentified user like it should do. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
