Hallo,
I forget to also mention the change of the Gernimo deployment plan that I have
applied:
...
<role-mappings>
<role role-name="administrator">
<principal name="administrator" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
<principal name="root"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
</role>
</role-mappings>
...
Best regards,
Frank
--- Begin Message ---
Hallo Geronimo users,
I have tried to test a simple example concerning role-based security with
Geronimo and havn't succeed. Maybe my example is wrong or my Geronimo
configuration. I hope, some of you can help me.
I want to restrict access to the Url secure/start by allowing only the role
'adimistrator' to access them. An excerpt from my web.xml is:
<web-app>
...
<servlet>
<servlet-name>SecuredServlet</servlet-name>
<servlet-class>test.SecuredServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
...
<servlet-mapping>
<servlet-name>SecureServlet</servlet-name>
<url-pattern>/secure/*</url-pattern>
</servlet-mapping>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>AdministratorFunctions</web-resource-name>
<url-pattern>/secure/start</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MySecurityRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>
</web-app>
Only the role administrator should be able to access http://.../secure/start.
Now I have created a new security realm MySecurityRealm with Geronimo using
Gernimo administration console (login module class
org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).
The users file contains the following users:
secUser=secret
unsecUser=secret2
The groups file contains the following group mappings:
administrator=secUser
application=unsecUser
For the deployment I used the default deployment plan that can be obtained by
clicking the 'usage' link under MySecuriryRealm.
When I access the /secure/start Url of the web application I'm initially asked
for the password - okay. When I provide wrong password information, I'm
directed to the error page - okay. But when I provide valid login information
for both users, secUser and secUser2, I get access to the secure/start page. In
my opinion, secUser2 should be forbidden to access this page. In a nutshell,
all authenticated users can enter my applications, even if they don't belong to
my group 'adimistrator'.
Hopefully, there is an easy solution.
Best regards,
Frank
--- End Message ---