Deepak Gothe wrote:
> Thanks Ron. Looks like the blog may help my usecase, but i am not clear
> on few things. Some example may help. Let me explain what i did.
>
> 1. I created a group "group1" in "Assign Group:" in admin console
Hi Deepak,
just to be sure we are saying that same thing. In step 1, you should
configure your realm to assign a group of your choice, e.g., group1, as
a side-effect of authentication. As such, every authenticated user, even
users who have not yet been added to the realm, are effectively a member
of the group.
> 2. I created a user "user1" and in the "Group List", i added "group1" in
> adminconsole
when you create a user, you do not need to add them to the group,
because step 1, ensured that the realm will assign the group to all
users as a side effect of their successful authentication at the realm.
>
> Unless i have the following entries in web.xml & sun-web.xml, i will not
> be able to login(using FORM authentication as mentioned in my earlier
> mail). What i was looking for is a way to allow the users that is being
> created to be able to login. i.e if a create a new user "user2", again i
> have to update web.xml and sun-web.xml in order for that user to be
> authenticated. I want to avoid this.
the mapping below is syntactically, correct, but your choice of the name
"user1" for the role-name suggests that you expect this role to identify
a specific user. given that you have mapped role "user1" to "group1",
and given that group1 is assigned to every user by the realm as a
side-effect of authentication; then the role you call "user1",
represents a role that is mapped to every authenticated user, which is
what we refer to as an ANYONE role.
I would change the role-name to something like "anyone", or "all-uers",
or something that better conveys the nature of the role.
other than that (and my comment above wrt to 2), what you have seems
correct to me.
Ron
>
> web.xml:
>
> <security-role>
> <role-name>user1</role-name>
> </security-role>
>
> sun-web.xml :
>
> <security-role-mapping>
> <role-name>user1</role-name>
> <group-name>group1</group-name>
> </security-role-mapping>
>
> Thanks for the help,
> Deepak
>
>> Deepak,
>>
>> I may not understand your use case, but if you want to configure your
>> app so that any authenticated user may access it then please take a
>> look at:
>>
>> http://blogs.sun.com/monzillo/entry/how_to_define_an_anyone
>>
>> in effect, the above approach ensures that every user is mapped to an
>> assigned role, as a side effect of authentication. this role can then
>> be used to differentiate any authenticated user (from an
>> unathenticated user).
>>
>> also, if you are willing to "administratively" add users to a group as
>> you have done in your example below, then "any user that is created
>> should be able to login", if you define your role mapping based on a
>> role mapped to that group.
>>
>> 1. map role to group
>>
>> 2. either administratively or via "assign-groups" as described (in the
>> link above) ensure that every authenticated user is added top the group.
>>
>> 3. use role is security-constraint to protect resources (and force
>> login),
>>
>> Ron
>>
>> Wouter van Reeven wrote:
>>
>>> Hi Deepak,
>>>
>>>
>>> As far as I am aware this is not possible. However, if someone knows
>>> a way
>>> around this I'll be interested as well.
>>>
>>>
>>> Greets, Wouter van Reeven
>>>
>>> On Thu, Jan 24, 2008 at 06:20:39PM +0530, Deepak Gothe wrote:
>>>
>>>> Hi,
>>>> I have a question regarding providing access to a user created in
>>>> admin-realm using Glassfish admin console. Following are the steps
>>>> that i performed..
>>>>
>>>> 1. Create a user with user id as "deepak" and Group List as "group1"
>>>> in admin-realm using the admin console
>>>>
>>>> 2. Add the following in the web.xml
>>>>
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>SecureResource</web-resource-name>
>>>> <url-pattern>/authorized</url-pattern>
>>>> <http-method>GET</http-method>
>>>> <http-method>POST</http-method>
>>>> </web-resource-collection>
>>>> <auth-constraint>
>>>> <role-name>*</role-name>
>>>> </auth-constraint>
>>>> <user-data-constraint>
>>>> <transport-guarantee>NONE</transport-guarantee>
>>>> </user-data-constraint>
>>>> </security-constraint>
>>>>
>>>> <login-config>
>>>> <auth-method>FORM</auth-method>
>>>> <realm-name>admin-realm</realm-name>
>>>> <form-login-config>
>>>> <form-login-page>/login.jsp</form-login-page>
>>>> <form-error-page>/error.jsp</form-error-page>
>>>> </form-login-config>
>>>> </login-config>
>>>>
>>>> <security-role>
>>>> <role-name>deepak</role-name>
>>>> </security-role>
>>>>
>>>> 3. Add the following in the sun-web.xml
>>>>
>>>> <security-role-mapping>
>>>> <role-name>deepak</role-name>
>>>> <group-name>group1</group-name>
>>>> </security-role-mapping>
>>>>
>>>>
>>>> login.jsp is the form that use j_security_check. After the above
>>>> changes I can login as user "deepak". Now if I create a new user say
>>>> "user1" in the group "group2" and want that user to login, I need to
>>>> modify both web.xml and sun-web.xml. This is not desirable. Once i
>>>> deploy the webapp, any user that is created should be able to login.
>>>> Is there a way to achieve this. This is needed to implement
>>>> "isUserInRole" functionality in OpenPortal Portlet Container Driver.
>>>>
>>>> Thanks in advance,
>>>> Deepak
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>