[
https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734105#action_12734105
]
Trygve Hardersen commented on GERONIMO-4756:
--------------------------------------------
Hi
I've been trying to upgrade our application to use Jetty7, but can't get the
run-as security to work. Since our application is rather complex and big, I've
created a sample project that illustrates the problem in a more controlled
environment using the current Geronimo trunk (rev 796620) without any
modifications.
The sample project is called JGS (Jotta Geronimo Security) and has 3 components
that are deployed as Geronimo plugins:
realm-plugin - Holds the security realm and credential store
ejb-plugin - Holds the EJB service layer
web-plugin - Holds the WAR HTTP layer
The realm-plugin uses a custom login module TestLoginModule that checks that
the supplied username matches the supplied password. If the username is
"admin", "anonymous" or "system", the username will also be used as role name.
If not, the role name will be set to "customer". The realm-plugin also holds a
credential store that gives the username and password for the "anonymous" and
"system" run-as users.
The ejb-plugin has two stateless sessions beans; TestServiceEJB and
SecureServiceEJB. Both EJBs are set to run-as "system". TestServiceEJB declares
the roles "admin", "anonymous", "customer" and "system", and references the
SecureServiceEJB. TestServiceEJB has three "hello" methods:
sayHello(String) - Says hello to admin, anonymous, customer and system users.
sayHello() - Says hello customer users.
secureHello(String) - Says hello to admin, customer and system users using
SecureSeviceEJB to demonstrate run-as security.
The SecureServiceEJB declares the same roles as TestServiceEJB, but only has
one method:
sayHello(String) - Says hello only to system components.
In other words SecureServiceEJB can only be used by callers in the "system"
role, such as TestServiceEJB.
All of this work as expected including run-as security, at least when I use
remote EJB to test the services directly. See RemoteEJBTest in the ejb-test
module. The problem starts when I try to use run-as security in the web-plugin.
This is what I want:
/welcome - WelcomeServlet says hello to the user identified by a parameter
called "name". Set to run-as "anonymous".
/default - DefaultServlet does the same as WelcomeServlet, but does not declare
run-as and should use the default run-as identity with is also "anonymous".
/customer - Customer servlet is only accessible by "customer" users, and does
not use run-as.
/system - SystemServlet should run-as system because it is a secure system
component.
Of these 4 URLs I can only get /customer to work properly. When the URL is used
the BASIC authentication triggers and the user can log in as "test"/"test" or
whatever they like. The username is picked up all the way down to the EJB that
greets the customer.
The 3 other URLs generally do not work. I've tried many configuration
combinations, such as using run-as annotations, defining security constraints
for the "run-as" URLs, disabling the default run-as subject and only using a
single servlet, but I can't get things to run-as anything consistently.
Strangely I'm 99% sure I've seen the run-as security work a couple of times, at
least after doing normal authentication first. Could there be a concurrency
issue somewhere?
I'm attaching the sample project. Thanks a lot for looking into this, and
please let me know if you have questions.
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is
> definied, not only if authentication is specifically configured: this will
> make default subjects work when no auth is configured. Should not be a
> problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
