Re: Role-based security question
Should be fixed. Thanks for uncovering this! Regards, Alan Aaron Mulder wrote: Created http://issues.apache.org/jira/browse/GERONIMO-2295 On 8/7/06, Aaron Mulder <[EMAIL PROTECTED]> wrote: That definitely sounds like a bug. Thanks, Aaron On 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hallo Geronimo users, > > I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me. > I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is: > > > ... > > SecuredServlet > test.SecuredServlet > 1 > > ... > > SecureServlet > /secure/* > > ... > > > AdministratorFunctions > /secure/start > GET > > > administrator > > > > > FORM > MySecurityRealm > > /login.jsp > /error.jsp > > > > > administrator > > > > Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule). > > The users file contains the following users: > secUser=secret > unsecUser=secret2 > > The groups file contains the following group mappings: > administrator=secUser > application=unsecUser > > For the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm. > > When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'. > Hopefully, there is an easy solution. > > Best regards, > > Frank > >
Re: Role-based security question
Created http://issues.apache.org/jira/browse/GERONIMO-2295 On 8/7/06, Aaron Mulder <[EMAIL PROTECTED]> wrote: That definitely sounds like a bug. Thanks, Aaron On 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hallo Geronimo users, > > I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me. > I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is: > > > ... > > SecuredServlet > test.SecuredServlet > 1 > > ... > > SecureServlet > /secure/* > > ... > > > AdministratorFunctions > /secure/start > GET > > > administrator > > > > > FORM > MySecurityRealm > > /login.jsp > /error.jsp > > > > > administrator > > > > Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule). > > The users file contains the following users: > secUser=secret > unsecUser=secret2 > > The groups file contains the following group mappings: > administrator=secUser > application=unsecUser > > For the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm. > > When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'. > Hopefully, there is an easy solution. > > Best regards, > > Frank > >
Re: Role-based security question
That definitely sounds like a bug. Thanks, Aaron On 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hallo Geronimo users, I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me. I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is: ... SecuredServlet test.SecuredServlet 1 ... SecureServlet /secure/* ... AdministratorFunctions /secure/start GET administrator FORM MySecurityRealm /login.jsp /error.jsp administrator Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule). The users file contains the following users: secUser=secret unsecUser=secret2 The groups file contains the following group mappings: administrator=secUser application=unsecUser For the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm. When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'. Hopefully, there is an easy solution. Best regards, Frank
Re: Re: Role-based security question
Hi Frank, I do not know if it is a bug in Geronimo. A while ago, I have run into the same problem you faced and overcame it by changing the url-mapping in the security-constraint. I suggest you create a bug report in Geronimo JIRA. Regards, VamsiOn 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hallo Vamsi,thank you for your hint. Adding another servlet mapping helped. Unfortunately I rely on getPathInfo() on the HttpServletRequest to extract a command like 'start' or 'stop'. With the additional servlet mapping the path info is now null. But I can find some workaround for this. Is this additional servlet mapping specification Geronimo-specific or the standard way to apply security constraints? From the servlet specification I was not aware of having to specify each secured mapping individually?Best regards,Frank-- Forwarded message --From: "Vamsavardhana Reddy" < [EMAIL PROTECTED]>To: user@geronimo.apache.orgDate: Mon, 7 Aug 2006 15:28:20 +0530Subject: Re: Role-based security questionVerified... adding another servlet-mapping with /secure/start helps. changing the url-pattern to /secure/* in the security-constraint does not help. Thanks, Vamsi On 8/7/06, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote: Hallo,I forget to also mention the change of the Gernimo deployment plan that I have applied:...class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>...Best regards,Frank -- Forwarded message --From: [EMAIL PROTECTED]To: user@geronimo.apache.orgDate: Mon, 7 Aug 2006 10:50:17 +0200 (CEST) Subject: Role-based security questionHallo Geronimo users,I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:...SecuredServlettest.SecuredServlet 1...SecureServlet /secure/*...AdministratorFunctions /secure/start GET administratorFORM MySecurityRealm/login.jsp/error.jsp administrator Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).The users file contains the following users:secUser=secretunsecUser=secret2The groups file contains the following group mappings: administrator=secUserapplication=unsecUserFor the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.Hopefully, there is an easy solution.Best regards,Frank
Re: Re: Role-based security question
Hallo Vamsi, thank you for your hint. Adding another servlet mapping helped. Unfortunately I rely on getPathInfo() on the HttpServletRequest to extract a command like 'start' or 'stop'. With the additional servlet mapping the path info is now null. But I can find some workaround for this. Is this additional servlet mapping specification Geronimo-specific or the standard way to apply security constraints? From the servlet specification I was not aware of having to specify each secured mapping individually? Best regards, Frank --- Begin Message --- Verified... adding another servlet-mapping with /secure/start helps. changing the url-pattern to /secure/* in the security-constraint does not help. Thanks, Vamsi On 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hallo,I forget to also mention the change of the Gernimo deployment plan that I have applied:...class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>...Best regards,Frank -- Forwarded message --From: [EMAIL PROTECTED]To: user@geronimo.apache.orgDate: Mon, 7 Aug 2006 10:50:17 +0200 (CEST) Subject: Role-based security questionHallo Geronimo users,I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:...SecuredServlettest.SecuredServlet 1...SecureServlet /secure/*...AdministratorFunctions /secure/start GET administratorFORM MySecurityRealm/login.jsp/error.jsp administrator Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).The users file contains the following users:secUser=secretunsecUser=secret2The groups file contains the following group mappings: administrator=secUserapplication=unsecUserFor the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.Hopefully, there is an easy solution.Best regards,Frank --- End Message ---
Re: Role-based security question
Verified... adding another servlet-mapping with /secure/start helps. changing the url-pattern to /secure/* in the security-constraint does not help. Thanks, Vamsi On 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hallo,I forget to also mention the change of the Gernimo deployment plan that I have applied:...class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>...Best regards,Frank -- Forwarded message --From: [EMAIL PROTECTED]To: user@geronimo.apache.orgDate: Mon, 7 Aug 2006 10:50:17 +0200 (CEST) Subject: Role-based security questionHallo Geronimo users,I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:...SecuredServlettest.SecuredServlet 1...SecureServlet /secure/*...AdministratorFunctions /secure/start GET administratorFORM MySecurityRealm/login.jsp/error.jsp administrator Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).The users file contains the following users:secUser=secretunsecUser=secret2The groups file contains the following group mappings: administrator=secUserapplication=unsecUserFor the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.Hopefully, there is an easy solution.Best regards,Frank
Re: Role-based security question
See if adding another servlet-mapping with /secure/start helps. Thanks, VamsiOn 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hallo,I forget to also mention the change of the Gernimo deployment plan that I have applied:...class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>...Best regards,Frank -- Forwarded message --From: [EMAIL PROTECTED]To: user@geronimo.apache.orgDate: Mon, 7 Aug 2006 10:50:17 +0200 (CEST) Subject: Role-based security questionHallo Geronimo users,I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:...SecuredServlettest.SecuredServlet 1...SecureServlet /secure/*...AdministratorFunctions /secure/start GET administratorFORM MySecurityRealm/login.jsp/error.jsp administrator Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).The users file contains the following users:secUser=secretunsecUser=secret2The groups file contains the following group mappings: administrator=secUserapplication=unsecUserFor the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.Hopefully, there is an easy solution.Best regards,Frank
Re: Role-based security question
Or change the url-pattern to /secure/* in the security-constraint. Thanks, Vamsi.On 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hallo,I forget to also mention the change of the Gernimo deployment plan that I have applied:...class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>...Best regards,Frank -- Forwarded message --From: [EMAIL PROTECTED]To: user@geronimo.apache.orgDate: Mon, 7 Aug 2006 10:50:17 +0200 (CEST) Subject: Role-based security questionHallo Geronimo users,I have tried to test a simple example concerning role-based security with Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo configuration. I hope, some of you can help me.I want to restrict access to the Url secure/start by allowing only the role 'adimistrator' to access them. An excerpt from my web.xml is:...SecuredServlettest.SecuredServlet 1...SecureServlet /secure/*...AdministratorFunctions /secure/start GET administratorFORM MySecurityRealm/login.jsp/error.jsp administrator Only the role administrator should be able to access http://.../secure/start. Now I have created a new security realm MySecurityRealm with Geronimo using Gernimo administration console (login module class org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).The users file contains the following users:secUser=secretunsecUser=secret2The groups file contains the following group mappings: administrator=secUserapplication=unsecUserFor the deployment I used the default deployment plan that can be obtained by clicking the 'usage' link under MySecuriryRealm.When I access the /secure/start Url of the web application I'm initially asked for the password - okay. When I provide wrong password information, I'm directed to the error page - okay. But when I provide valid login information for both users, secUser and secUser2, I get access to the secure/start page. In my opinion, secUser2 should be forbidden to access this page. In a nutshell, all authenticated users can enter my applications, even if they don't belong to my group 'adimistrator'.Hopefully, there is an easy solution.Best regards,Frank