Ron Monzillo wrote:
> Deepak Gothe wrote:
>> Thanks Ron. Looks like the blog may help my usecase, but i am not
>> clear on few things. Some example may help. Let me explain what i did.
>>
>> 1. I created a group "group1" in "Assign Group:" in admin console
> Hi Deepak,
>
> just to be sure we are saying that same thing. In step 1, you should
> configure your realm to assign a group of your choice, e.g., group1,
> as a side-effect of authentication. As such, every authenticated user,
> even users who have not yet been added to the realm, are effectively a
> member of the group.
>
>> 2. I created a user "user1" and in the "Group List", i added "group1"
>> in adminconsole
>
> when you create a user, you do not need to add them to the group,
> because step 1, ensured that the realm will assign the group to all
> users as a side effect of their successful authentication at the realm.
>
>>
>> Unless i have the following entries in web.xml & sun-web.xml, i will
>> not be able to login(using FORM authentication as mentioned in my
>> earlier mail). What i was looking for is a way to allow the users
>> that is being created to be able to login. i.e if a create a new user
>> "user2", again i have to update web.xml and sun-web.xml in order for
>> that user to be authenticated. I want to avoid this.
>
> the mapping below is syntactically, correct, but your choice of the
> name "user1" for the role-name suggests that you expect this role to
> identify a specific user. given that you have mapped role "user1" to
> "group1", and given that group1 is assigned to every user by the realm
> as a side-effect of authentication; then the role you call "user1",
> represents a role that is mapped to every authenticated user, which is
> what we refer to as an ANYONE role.
>
> I would change the role-name to something like "anyone", or
> "all-uers", or something that better conveys the nature of the role.
After entering "content" in "Assign Group:", i can create any number of
users(eg: editor, reviewer, manager). And all these users belong to
"content" group...right. In order for all those users to be able to be
authenticated, i need to enter those users in sun-web.xml, is there a
way to avoid it. I tried using "*" as mentioned below, but it did not work..
<security-role-mapping>
<role-name>*</role-name>
<group-name>content</group-name>
</security-role-mapping>
Thanks,
Deepak
>
> other than that (and my comment above wrt to 2), what you have seems
> correct to me.
>
> Ron
>>
>> web.xml:
>>
>> <security-role>
>> <role-name>user1</role-name>
>> </security-role>
>>
>> sun-web.xml :
>>
>> <security-role-mapping>
>> <role-name>user1</role-name>
>> <group-name>group1</group-name>
>> </security-role-mapping>
>>
>> Thanks for the help,
>> Deepak
>>
>>> Deepak,
>>>
>>> I may not understand your use case, but if you want to configure
>>> your app so that any authenticated user may access it then please
>>> take a look at:
>>>
>>> http://blogs.sun.com/monzillo/entry/how_to_define_an_anyone
>>>
>>> in effect, the above approach ensures that every user is mapped to
>>> an assigned role, as a side effect of authentication. this role can
>>> then be used to differentiate any authenticated user (from an
>>> unathenticated user).
>>>
>>> also, if you are willing to "administratively" add users to a group
>>> as you have done in your example below, then "any user that is
>>> created should be able to login", if you define your role mapping
>>> based on a role mapped to that group.
>>>
>>> 1. map role to group
>>>
>>> 2. either administratively or via "assign-groups" as described (in
>>> the link above) ensure that every authenticated user is added top
>>> the group.
>>>
>>> 3. use role is security-constraint to protect resources (and force
>>> login),
>>>
>>> Ron
>>>
>>> Wouter van Reeven wrote:
>>>
>>>> Hi Deepak,
>>>>
>>>>
>>>> As far as I am aware this is not possible. However, if someone
>>>> knows a way
>>>> around this I'll be interested as well.
>>>>
>>>>
>>>> Greets, Wouter van Reeven
>>>>
>>>> On Thu, Jan 24, 2008 at 06:20:39PM +0530, Deepak Gothe wrote:
>>>>
>>>>> Hi,
>>>>> I have a question regarding providing access to a user created in
>>>>> admin-realm using Glassfish admin console. Following are the steps
>>>>> that i performed..
>>>>>
>>>>> 1. Create a user with user id as "deepak" and Group List as
>>>>> "group1" in admin-realm using the admin console
>>>>>
>>>>> 2. Add the following in the web.xml
>>>>>
>>>>> <security-constraint>
>>>>> <web-resource-collection>
>>>>> <web-resource-name>SecureResource</web-resource-name>
>>>>> <url-pattern>/authorized</url-pattern>
>>>>> <http-method>GET</http-method>
>>>>> <http-method>POST</http-method>
>>>>> </web-resource-collection>
>>>>> <auth-constraint>
>>>>> <role-name>*</role-name>
>>>>> </auth-constraint>
>>>>> <user-data-constraint>
>>>>> <transport-guarantee>NONE</transport-guarantee>
>>>>> </user-data-constraint>
>>>>> </security-constraint>
>>>>>
>>>>> <login-config>
>>>>> <auth-method>FORM</auth-method>
>>>>> <realm-name>admin-realm</realm-name>
>>>>> <form-login-config>
>>>>> <form-login-page>/login.jsp</form-login-page>
>>>>> <form-error-page>/error.jsp</form-error-page>
>>>>> </form-login-config>
>>>>> </login-config>
>>>>>
>>>>> <security-role>
>>>>> <role-name>deepak</role-name>
>>>>> </security-role>
>>>>>
>>>>> 3. Add the following in the sun-web.xml
>>>>>
>>>>> <security-role-mapping>
>>>>> <role-name>deepak</role-name>
>>>>> <group-name>group1</group-name>
>>>>> </security-role-mapping>
>>>>>
>>>>>
>>>>> login.jsp is the form that use j_security_check. After the above
>>>>> changes I can login as user "deepak". Now if I create a new user
>>>>> say "user1" in the group "group2" and want that user to login, I
>>>>> need to modify both web.xml and sun-web.xml. This is not
>>>>> desirable. Once i deploy the webapp, any user that is created
>>>>> should be able to login. Is there a way to achieve this. This is
>>>>> needed to implement "isUserInRole" functionality in OpenPortal
>>>>> Portlet Container Driver.
>>>>>
>>>>> Thanks in advance,
>>>>> Deepak
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>