I will try the <module-option ...> in about 30 minutes. Thanks.
Ok,
Hope that it will work as it should
On the run-as, I do understand that this bean will run other beans "as" this identity. My Session Facade actually have permission "unchecked" so anyone should be able to get to my session facade currently. It is not what I want, but it is a start at least. Then I can get the user Roles issue resolved.
I guess I misunderstood your first mail then.
I am very grateful for your help! This JAAS has been so difficult!
Yes, everything would be much easier without security :-)
Regards /Mikael
-----Original Message----- From: Mikael Eriksson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 11:17 AM To: Struts Users Mailing List Cc: Knutson, Mick Subject: Re: [OT] EXTREMELY URGENT: JBoss JAAS/Container Security issue
Hello!
Try changing this line in login-config.xml
<module-option name = "rolesQuery">SELECT user_roles, user_group FROM USER_ROLES WHERE USERNAME=?</module-option>
To
<module-option name = "rolesQuery">SELECT user_roles, 'Roles' FROM USER_ROLES WHERE USERNAME=?</module-option>
or change the value of user_group in all rows to "Roles".
My understanding of the second parameter that the rolesquery should return is that you can somhow categorize users in diffent ways, but that the default user/role handling should return "Roles".
It also sounds like you might have misunderstood how the "run-as" identity is used. That identity does not affect the callers of a bean or who can call it, it says that when the bean tries to access other beans it will do so with the run-as identity. This is so you can define beans that only can be called by "internal" identities so that noone can call them directly from the outside.
Regards /Mikael
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
