Should be fixed. Thanks for uncovering this!
Regards,
Alan
Aaron Mulder wrote:
Created http://issues.apache.org/jira/browse/GERONIMO-2295
On 8/7/06, Aaron Mulder <[EMAIL PROTECTED]> wrote:
That definitely sounds like a bug.
Thanks,
Aaron
On 8/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Hallo Geronimo users,
>
> I have tried to test a simple example concerning role-based
security with Geronimo and havn't succeed. Maybe my example is wrong
or my Geronimo configuration. I hope, some of you can help me.
> I want to restrict access to the Url secure/start by allowing only
the role 'adimistrator' to access them. An excerpt from my web.xml is:
>
> <web-app>
> ...
> <servlet>
> <servlet-name>SecuredServlet</servlet-name>
> <servlet-class>test.SecuredServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> ...
> <servlet-mapping>
> <servlet-name>SecureServlet</servlet-name>
> <url-pattern>/secure/*</url-pattern>
> </servlet-mapping>
> ...
> <security-constraint>
> <web-resource-collection>
>
<web-resource-name>AdministratorFunctions</web-resource-name>
> <url-pattern>/secure/start</url-pattern>
> <http-method>GET</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MySecurityRealm</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <role-name>administrator</role-name>
> </security-role>
> </web-app>
>
> Only the role administrator should be able to access
http://.../secure/start. Now I have created a new security realm
MySecurityRealm with Geronimo using Gernimo administration console
(login module class
org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule).
>
> The users file contains the following users:
> secUser=secret
> unsecUser=secret2
>
> The groups file contains the following group mappings:
> administrator=secUser
> application=unsecUser
>
> For the deployment I used the default deployment plan that can be
obtained by clicking the 'usage' link under MySecuriryRealm.
>
> When I access the /secure/start Url of the web application I'm
initially asked for the password - okay. When I provide wrong
password information, I'm directed to the error page - okay. But when
I provide valid login information for both users, secUser and
secUser2, I get access to the secure/start page. In my opinion,
secUser2 should be forbidden to access this page. In a nutshell, all
authenticated users can enter my applications, even if they don't
belong to my group 'adimistrator'.
> Hopefully, there is an easy solution.
>
> Best regards,
>
> Frank
>
>