Hi all, I use the 3.2.3 release. In my web application there are some secured and non secured pages. I experienced that the request.isUserInRole() function doesn't work if there is a forwarding from a secured jsp page to a public one.
I made a little example based on the jaas howto tutorial: WEB.XML: <?xml version="1.0" encoding="UTF-8"?> | <!DOCTYPE web-app PUBLIC | "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" | "http://java.sun.com/dtd/web-app_2_3.dtd"> | | <web-app> | | <!-- ### Security --> | <security-constraint> | <web-resource-collection> | <web-resource-name>Restricted</web-resource-name> | <url-pattern>/secured.jsp</url-pattern> | <url-pattern>/securedTest.jsp</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>Echo</role-name> | </auth-constraint> | <user-data-constraint> | <transport-guarantee>NONE</transport-guarantee> | </user-data-constraint> | </security-constraint> | | <login-config> | <auth-method>BASIC</auth-method> | <realm-name>JAAS Tutorial Servlets</realm-name> | </login-config> | | <security-role> | <description>A user allowed to invoke echo methods</description> | <role-name>Echo</role-name> | </security-role> | <security-role> | <description>A user with no permissions</description> | <role-name>nobody</role-name> | </security-role> | | </web-app> secured.jsp: <%if (request.isUserInRole( "Echo")) {%> | <h1>member of a role</h1> | <%} else {%> | <h1>NOT member of a role</h1> | <%}%> | | <a href="/SecurityWeb/securedTest.jsp">Link to a secured page</a><br/> | <a href="/SecurityWeb/test.jsp">Link to a public page</a> securedTest.jsp: <html> | <body> | <%if (request.isUserInRole( "Echo")) {%> | <h1>member of a role</h1> | <%} else {%> | <h1>NOT member of a role</h1> | <%}%> | </body> | </html> test.jsp: <html> | <body> | <%if (request.isUserInRole( "Echo")) {%> | <h1>member of a role</h1> | <%} else {%> | <h1>NOT member of a role</h1> | <%}%> | </body> | </html> The securedTest.jsp and test.jsp are the same, the only defference is that the securedTest.jsp is listed under the security-constraint. Having tried the http://.............../secure.jsp and logging in succesfully I can see the "member of a role" text and clicking to the "Link to a secured page" link the text remains the same. BUT clicking to the "Link to a public page" link the "NOT member of a role" text appears in the browser. How could I preserve the roles during my navigation between secured and non secured pages? Is there a standard method or is this a bug? Thanks for your reply in advance. Tibor View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3834854#3834854 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3834854 ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user