Re: [JBoss-user] security with jsp not working

Fred Loney Wed, 18 Jul 2001 08:29:45 -0700
The problem appears to lie in the elided servlet definition of the web.xml file rather 
than security. There is apparently at least one malformed <init-param> element and 
<taglib> element. Compare the app web.xml with the example struts web.xml and run an 
XML verifier on it.

--
Fred Loney
Spirited Software, Inc.
[EMAIL PROTECTED]

Hajo Hindriks wrote:

> Hi everybody,
>
> I am desperately in need for help..
>
> My goal is to have a web-application that distinguishes 3 types of users.
> Anonymous (e.g. has no account), Traders and Admins. I went through the
> JAAS-example and I do have a database setup that is working with the
> examples (using my own database..)
>
> I have the following entries in the roles-table
>   user1, trader, callerprincipal
>   user1, admin, callerprincipal
>   user2, trader, callerprincipal
>
> In jboss I have a stateless-session bean betx/WebEntry that works. Now I
> wanted to add security. There is a method addRequest() that should be
> callable for users withoiut restrictions. There is a method getPaper() that
> should be called by both Traders and Admins and I have a method
> getAccounts() that should only be called from Admins.... I am lost in the
> config-files. I appreciate any help in correcting my config-files...
>
> in auth.conf I have an entry
> betx {
> } //should work... tested with examples
>
> my web.xml
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <!DOCTYPE web-app
>   PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
>   "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>
>
> <web-app>
>
>   <!-- Action Servlet Configuration -->
>   <servlet>
>     <servlet-name>action</servlet-name>
>
> <servlet-class>s1.struts.component.ActionComponentServlet</servlet-class>
> ..
>   </servlet>
>
>   <!-- Action Servlet Mapping -->
>   <servlet-mapping>
>     <servlet-name>action</servlet-name>
>     <url-pattern>*.do</url-pattern>
>   </servlet-mapping>
> ...
>   <!-- == Security-Definition
> ============================================== -->
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Restricted</web-resource-name>
>       <description/>
>       <url-pattern>/restricted/*</url-pattern>
> <!-- does this mean I have to place restricted jsp-files in a /restricted
> subdirectory and leaf the others at the top-level? -->
>       <http-method>HEAD</http-method>
>       <http-method>GET</http-method>
>       <http-method>POST</http-method>
>       <http-method>PUT</http-method>
>       <http-method>DELETE</http-method>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>Trader</role-name>
>     </auth-constraint>
>     <user-data-constraint>
>       <description/>
>       <transport-guarantee>NONE</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>
>   <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>Betx Trading Plattform</realm-name>
>   </login-config>
>
>   <security-role>
>     <description/>
>     <role-name>Trader</role-name>
>   </security-role>
>
>   <ejb-ref>
>     <ejb-ref-name>WebEntry</ejb-ref-name>
>     <ejb-ref-type>Session</ejb-ref-type>
>     <home>unizh.ifi.betx.ejb.webentry.WebEntryHome</home>
>     <remote>unizh.ifi.betx.ejb.webentry.WebEntry</remote>
>   </ejb-ref>
> </web-app>
>
> my jboss-web.xml:
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jboss-web>
>     <security-domain>java:/jaas/betx</security-domain>
>     <ejb-ref>
>         <ejb-ref-name>WebEntry</ejb-ref-name>
>         <jndi-name>betx/WebEntry</jndi-name>
>     </ejb-ref>
> </jboss-web>
>
> in ejb-jar.xml
> ...
>   <assembly-descriptor>
>     <security-descriptor>
>       <role-name>Trader</role-name>
>     </security-descriptor>
>
>     <method-permission>
>       <role-name>Trader</role-name>
>       <method>
>         <ejb-name>WebEntry</ejb-name>
>         <method-name>create</method-name>
>       </method>
>       <method>
>         <ejb-name>WebEntry</ejb-name>
>         <method-name>remove</method-name>
>       </method>
>     </method-permission>
>
>     <method-permission>
>       <role-name>Admin</role-name>
>       <method>
>         <ejb-name>WebEntry</ejb-name>
>         <method-name>*</method-name>
>       </method>
>     </method-permission>
> ...
>   </assembly-descriptor>
> </ejb-jar>
>
>  in jboss.xml
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <jboss>
>     <security-domain>java:/jaas/betx</security-domain>
> ..
>
> If I try to delpoy the ear-file with my current config-files I get the
> follwing errors in the log:
>
> [EmbeddedTomcatSX] Warning: validation was turned on but an
> org.xml.sax.ErrorHandler was not
> [EmbeddedTomcatSX] set, which is probably not what is desired.  Parser will
> use a default
> [EmbeddedTomcatSX] ErrorHandler to print the first 10 errors.  Please call
> [EmbeddedTomcatSX] the 'setErrorHandler' method to fix this.
> [EmbeddedTomcatSX] Error: URI=null Line=7: Document root element "web-app",
> must match DOCTYPE root "web-app".
> [EmbeddedTomcatSX] Error: URI=null Line=17: The content of element type
> "init-param" must match "(param-name,param-value,description?)".
> [EmbeddedTomcatSX] Error: URI=null Line=21: The content of element type
> "init-param" must match "(param-name,param-value,description?)".
> [EmbeddedTomcatSX] Error: URI=null Line=26: The content of element type
> "init-param" must match "(param-name,param-value,description?)".
> [EmbeddedTomcatSX] Error: URI=null Line=30: The content of element type
> "init-param" must match "(param-name,param-value,description?)".
> [EmbeddedTomcatSX] Error: URI=null Line=34: The content of element type
> "init-param" must match "(param-name,param-value,description?)".
> [EmbeddedTomcatSX] Error: URI=null Line=38: The content of element type
> "init-param" must match "(param-name,param-value,description?)".
> [EmbeddedTomcatSX] Error: URI=null Line=42: The content of element type
> "init-param" must match "(param-name,param-value,description?)".
> [EmbeddedTomcatSX] Error: URI=null Line=44: The content of element type
> "servlet" must match
> "(icon?,servlet-name,display-name?,description?,(servlet-class|jsp-file),ini
> t-param*,load-on-startup?,security-role-ref*)".
> [EmbeddedTomcatSX] Error: URI=null Line=51: The content of element type
> "servlet-mapping" must match "(servlet-name,url-pattern)".
> [EmbeddedTomcatSX] Warning: validation was turned on but an
> org.xml.sax.ErrorHandler was not
> [EmbeddedTomcatSX] set, which is probably not what is desired.  Parser will
> use a default
> [EmbeddedTomcatSX] ErrorHandler to print the first 10 errors.  Please call
> [EmbeddedTomcatSX] the 'setErrorHandler' method to fix this.
> [EmbeddedTomcatSX] Error: URI=null Line=10: Document root element "taglib",
> must match DOCTYPE root "taglib".
> [EmbeddedTomcatSX] Error: URI=null Line=22: The content of element type
> "attribute" must match "(name,required?,rtexprvalue?)".
> [EmbeddedTomcatSX] Error: URI=null Line=27: The content of element type
> "attribute" must match "(name,required?,rtexprvalue?)".
> [EmbeddedTomcatSX] Error: URI=null Line=32: The content of element type
> "attribute" must match "(name,required?,rtexprvalue?)".
> [EmbeddedTomcatSX] Error: URI=null Line=37: The content of element type
> "attribute" must match "(name,required?,rtexprvalue?)".
>
>


_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] security with jsp not working

Reply via email to
