Hi Peter, No worries - no strain ;)
Shiro does not support reading security settings from web.xml at the moment - the INI configuration to which I referred is Shiro's alternative to do the same thing. It supports form-based login as well using the 'authc' default filter. If this isn't sufficient, please open a Jira issue and we'll see if we can get it in for 1.1. Cheers, Les On Wed, Jun 23, 2010 at 12:13 AM, PDiefent <[email protected]> wrote: > Hi Les, > I hope not to be a strain on your nerves but my problem deals with > container security. With standard wicket technology I couldn't solve my > problem so I thought Shiro would be an alternative. > > My standard security settings for the application are set in the web.xml: > > <security-constraint> > <web-resource-collection> > <web-resource-name>PTSAARWEB</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>JKNZL01</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/loginerror.jsp</form-error-page> > </form-login-config> > </login-config> > <security-role> > <role-name>JKNZL01</role-name> > </security-role> > > > In my understanding this will cause the application server to start > login.jsp to get username and password. > > <html> > <head> > <title>Login</title> > </head> > <body bgcolor="white"> > <div class="title">Please Login</div> > <form action="j_security_check" method="post"> > <table> > <tr> > <td align="right">Username:</td> > <td><input name="j_username"></td> > </tr> > <tr> > <td align="right">Password:</td> > <td> > <input type="password" name="j_password"> > </td> > </tr> > </table> > <input type="submit" value="Login"> > </form> > </body> > </html> > > The j_security_check method checks username and password against the user > realm (i.e. tomcat-users.xml) and allows or denies access to my > application. > > But in my testing environment with a tomcat application server everybody > with the right password can start the application even with the wrong role. > > In our customer environment with a BEA application server it's the same > problem. > A JSF based application works fine in both environments with the same > security settings. > > So my question: Is it possible to use container security settings with > shiro? Are custom realms the solution - but how to access the conatainer > security settings? > > Thanks for your patience. > Best regards, Peter > > > > > From: "Les Hazlewood-2 [via Shiro User]" <[hidden > email]<http://user/SendEmail.jtp?type=node&node=5212036&i=0>> > > > To: Peter Diefenthaeler/DEU/c...@csc > > Date: 21.06.2010 18:05 > > Subject: Re: Basic authentication with tomcat > > > > > > > Hi Peter, > > Absolutely.  Please read > http://incubator.apache.org/shiro/configuration.html  Sections 1.2.2 and > > 1.2.3 are how you define static users, roles and permissions. > > Cheers, > > Les > > On Mon, Jun 21, 2010 at 1:06 AM, PDiefent <[hidden email]> wrote: > > Hi Les, > thanks for your detailed answer. The only thing I don't unsterstand > is how > to use permissions and passwords from the tomcat realm? > > In my tomcat/conf folder I have a tomcat-users.xml with users and > roles: > > <tomcat-users> >     <user name="admin" password="admin" > roles="admin,manager" /> >  <user username="eoe1" password="eoe1" roles="AarWeb"/> >  <user username="eoe" password="zorro" roles="AarWeb"/> >  <user username="admin" password="admin" roles="admin,manager"/> >  <role rolename="AarWeb"/> >  <role rolename="manager"/> >  <role rolename="admin"/> > </tomcat-users> > > How can this be matched with shiro security? > > Thanks, Peter > > -- > View this message in context: > > http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5203301.html<http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5203301.html?by-user=t> > Sent from the Shiro User mailing list archive at Nabble.com. > > > View message @ > > http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5204949.html<http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5204949.html?by-user=t> > > To unsubscribe from Re: Basic authentication with tomcat, click here. > > > > ------------------------------ > View this message in context: Re: Basic authentication with > tomcat<http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5212036.html> > > Sent from the Shiro User mailing list > archive<http://shiro-user.582556.n2.nabble.com/>at Nabble.com. >
