[ https://issues.apache.org/jira/browse/GERONIMO-3357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12516991 ]
Aman Nanner commented on GERONIMO-3357: --------------------------------------- You're right! The absence of the servlet-mapping was the cause of the issue. I made this change in my main application, and everything is working fine now. > <run-as> role is ignored in web.xml > ----------------------------------- > > Key: GERONIMO-3357 > URL: https://issues.apache.org/jira/browse/GERONIMO-3357 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 2.0-M7 > Environment: Windows XP SP2 > Reporter: Aman Nanner > Assignee: David Jencks > Priority: Critical > Fix For: 2.0 > > Attachments: testing.ear.zip, testing2.ear > > > It seems that any <run-as> roles defined in a web.xml of a web application > are ignored. For example, consider the following web.xml fragment: > {code:xml} > <servlet> > <servlet-name>ExceptionPage</servlet-name> > <jsp-file>/error/Exception.jsp</jsp-file> > <run-as> > <role-name>TESTSYSTEM</role-name> > </run-as> > </servlet> > {code} > The JSP is never run as the TESTSYSTEM role in this case, and thus access to > method-restricted EJBs fails from the JSP. I cannot see in the > TomcatGeronimoRealm where this "run-as" role is being set, or if it is > accessing the credential store to get the run-as subject. > Below is the fragment of my geronimo-application.xml where I define the > security policy: > {code:xml} > <security:security> > <security:credential-store> > <security:pattern> > <sys:name > xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">MyCredentialStore</sys:name> > </security:pattern> > </security:credential-store> > <security:role-mappings> > <security:role role-name="TESTSYSTEM"> > <security:run-as-subject> > <security:realm>TestingRealm</security:realm> > <security:id>test-system</security:id> > </security:run-as-subject> > <security:realm realm-name="TestingRealm"> > <security:principal > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > name="TESTSYSTEM" /> > </security:realm> > </security:role> > </security:role-mappings> > </security:security> > <sys:gbean name="TestingRealm" > class="org.apache.geronimo.security.realm.GenericSecurityRealm"> > <sys:attribute name="realmName">TestingRealm</sys:attribute> > <sys:reference name="ServerInfo"> > <sys:name>ServerInfo</sys:name> > </sys:reference> > <sys:xml-reference name="LoginModuleConfiguration"> > <log:login-config > xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> > <log:login-module control-flag="REQUIRED" > wrap-principals="false"> > <log:login-domain-name>TestingRealm</log:login-domain-name> > <log:login-module-class>com.testing.security.TestingLoginModule</log:login-module-class> > <log:option name="userSelect">SELECT username, password FROM > utl_user WHERE username=?</log:option> > <log:option > name="dataSourceApplication">Mxi/Testing/1/ear</log:option> > <log:option name="groupSelect">SELECT name, 'TESTSYSTEM' as > role_name FROM dual</log:option> > <log:option > name="dataSourceName">com/testing/jdbc/TestDS</log:option> > </log:login-module> > </log:login-config> > </sys:xml-reference> > </sys:gbean> > <sys:gbean name="MyCredentialStore" > class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"> > <xml-attribute name="credentialStore"> > <credential-store > xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0"> > <!-- uncomment this and the default subject in the jettty > console plan gives you admin console permissions --> > <realm name="TestingRealm"> > <subject> > <id>test-system</id> > <credential> > <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type> > <value>ananner</value> > </credential> > <credential> > <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type> > <value>password</value> > </credential> > </subject> > </realm> > </credential-store> > </xml-attribute> > </sys:gbean> > {code} -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.