[jira] Updated: (JS2-526) JBoss web.xml entry for security-constraint login/redirector wont work under Tomcat

[Sylvain RIBEYRON (JIRA)]

     [ http://issues.apache.org/jira/browse/JS2-526?page=all ]

Sylvain RIBEYRON updated JS2-526:
---------------------------------

    Attachment: security.patch.txt

Here is the patch that resolves the problem. It works for me.

Patch changes two files:
- DefaultLoginModule.java -> set portalUserRole scope as protected instead of 
private, so that inherited classes can access to this attribute,
- JBossLoginModule -> Add portalUserRole in list of roles for JBoss.

I hope this will help.


> JBoss web.xml entry for security-constraint login/redirector wont work under 
> Tomcat
> -----------------------------------------------------------------------------------
>
>                 Key: JS2-526
>                 URL: http://issues.apache.org/jira/browse/JS2-526
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1-dev
>         Environment: Windows XP SP2, Tomcat 5.5.16, JBoss 4.0.4-CR2, 
> Jetspeed-2.1-dev (sources)
>            Reporter: Bruno Marti
>            Priority: Minor
>         Attachments: security.patch.txt
>
>
> I've built my own portal from the 2.1-dev sources.
> The installed portal works on Tomcat 5.5.16, but not on JBoss 4.0.4.
> Under JBoss I am receiving a HTTP-error 403 after the log-in submit.
> (seems like the same problem in Issue JS2-496: 
> http://issues.apache.org/jira/browse/JS2-496)
> If I'm manually adding the following role-name in portal's web.xml, it works 
> fine, on both tomcat and jboss servers:
>   <role-name>*</role-name>
> here the new full constraint entry:
> ...
>       <!-- Protect LogInRedirectory.jsp.  This will require a login when 
> called -->
>       <security-constraint>
>               <web-resource-collection>
>                       <web-resource-name>Login</web-resource-name>
>                       <url-pattern>/login/redirector</url-pattern>
>               </web-resource-collection>
>               <auth-constraint>
>                       <!-- the required portal user role name defined in: -->
>                       <!-- /WEB-INF/assembly/security-atn.xml             -->
>                       <role-name>portal-user</role-name>
>                       <role-name>*</role-name>
>               </auth-constraint>
>       </security-constraint>
> ...
> Is this quite correct or do I have a security problem now?
> Or is there a bug in JBoss?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]