But even then Peter, why would you insist on using container security configuration with Shiro? By definition, Shiro is replacement for container-managed security. It's far simpler to configure the same with Shiro and if Shiro read container security configuration, it'd be limited by that configuration and and it'd be unclear who's responsible for the security.
Kalle On Wed, Jun 23, 2010 at 6:44 AM, Les Hazlewood <[email protected]> wrote: > Hi Peter, > No worries - no strain ;) > Shiro does not support reading security settings from web.xml at the moment > - the INI configuration to which I referred is Shiro's alternative to do the > same thing. It supports form-based login as well using the 'authc' default > filter. If this isn't sufficient, please open a Jira issue and we'll see if > we can get it in for 1.1. > Cheers, > Les > > On Wed, Jun 23, 2010 at 12:13 AM, PDiefent <[email protected]> wrote: >> >> Hi Les, >> I hope not to be a strain on your nerves but my problem deals with >> container security. With standard wicket technology I couldn't solve my >> problem so I thought Shiro would be an alternative. >> >> My standard security settings for the application are set in the web.xml: >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>PTSAARWEB</web-resource-name> >> <url-pattern>/*</url-pattern> >> </web-resource-collection> >> <auth-constraint> >> <role-name>JKNZL01</role-name> >> </auth-constraint> >> </security-constraint> >> <login-config> >> <auth-method>FORM</auth-method> >> <form-login-config> >> <form-login-page>/login.jsp</form-login-page> >> <form-error-page>/loginerror.jsp</form-error-page> >> </form-login-config> >> </login-config> >> <security-role> >> <role-name>JKNZL01</role-name> >> </security-role> >> >> >> In my understanding this will cause the application server to start >> login.jsp to get username and password. >> >> <html> >> <head> >> <title>Login</title> >> </head> >> <body bgcolor="white"> >> <div class="title">Please Login</div> >> <form action="j_security_check" method="post"> >> <table> >> <tr> >> <td align="right">Username:</td> >> <td><input name="j_username"></td> >> </tr> >> <tr> >> <td align="right">Password:</td> >> <td> >> <input type="password" name="j_password"> >> </td> >> </tr> >> </table> >> <input type="submit" value="Login"> >> </form> >> </body> >> </html> >> >> The j_security_check method checks username and password against the user >> realm (i.e. tomcat-users.xml) and allows or denies access to my >> application. >> >> But in my testing environment with a tomcat application server everybody >> with the right password can start the application even with the wrong >> role. >> In our customer environment with a BEA application server it's the same >> problem. >> A JSF based application works fine in both environments with the same >> security settings. >> >> So my question: Is it possible to use container security settings with >> shiro? Are custom realms the solution - but how to access the conatainer >> security settings? >> >> Thanks for your patience. >> Best regards, Peter >> >> >> >> >> From: "Les Hazlewood-2 [via Shiro User]" <[hidden email]> >> >> To: Peter Diefenthaeler/DEU/c...@csc >> >> Date: 21.06.2010 18:05 >> >> Subject: Re: Basic authentication with tomcat >> >> >> >> >> >> >> Hi Peter, >> >> Absolutely.  Please read >> http://incubator.apache.org/shiro/configuration.html  Sections 1.2.2 and >> 1.2.3 are how you define static users, roles and permissions. >> >> Cheers, >> >> Les >> >> On Mon, Jun 21, 2010 at 1:06 AM, PDiefent <[hidden email]> wrote: >> >> Hi Les, >> thanks for your detailed answer. The only thing I don't unsterstand >> is how >> to use permissions and passwords from the tomcat realm? >> >> In my tomcat/conf folder I have a tomcat-users.xml with users and >> roles: >> >> <tomcat-users> >>     <user name="admin" password="admin" >> roles="admin,manager" /> >>  <user username="eoe1" password="eoe1" roles="AarWeb"/> >>  <user username="eoe" password="zorro" roles="AarWeb"/> >>  <user username="admin" password="admin" roles="admin,manager"/> >>  <role rolename="AarWeb"/> >>  <role rolename="manager"/> >>  <role rolename="admin"/> >> </tomcat-users> >> >> How can this be matched with shiro security? >> >> Thanks, Peter >> >> -- >> View this message in context: >> >> http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5203301.html >> Sent from the Shiro User mailing list archive at Nabble.com. >> >> >> View message @ >> >> http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5204949.html >> >> To unsubscribe from Re: Basic authentication with tomcat, click here. >> >> >> >> ________________________________ >> View this message in context: Re: Basic authentication with tomcat >> Sent from the Shiro User mailing list archive at Nabble.com. > >
