Deepak,
I think there may be a communication problem. I may not undestand the
problem, so let's start over.
If you are trying to define a role that can be used to to differentiate
any authententicated user from unauthenticated users, then you need to
do 4 things.
1. create a security-role in web.xml, call it "Anyone"
<security-role>
<role-name>Anyone</role-name>
</security-role>
2. create a security-constraint (in web.xml) containing an
auth-constraint that permits access to the Anyone role .
security-constraint>
<web-resource-collection>
<web-resource-name>SecureResource</web-resource-name>
<url-pattern>/authorized</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Anyone</role-name>
</auth-constraint>
</security-constraint>
3. and add a mapping in sun-web.xml of a group principal "user", to the
role "anyone". This means, any caller in group "user" will be mapped to
role "Anyone"
<security-role-mapping>
<role-name>Anyone</role-name>
<group-name>user</group-name>
</security-role-mapping>
4. do EITHER (but not both) of the following (to ensure that every
authenticated called is a member of group user, and this mapped (by 3)
to role anyone, and then permitted (by 2) to access the constrained
resources. [IMO, 4a is more convenient and you should use it]
4a. use the admin console to configure the realm used by your
application , to Assign group "user".
4b. configure every user account such that the user is a memeber of the
"user" group
please try the above (and make sure you redeploy your app),
Ron
Deepak Gothe wrote:
> Ron Monzillo wrote:
>
>> Deepak Gothe wrote:
>>
>>> Thanks Ron. Looks like the blog may help my usecase, but i am not
>>> clear on few things. Some example may help. Let me explain what i did.
>>>
>>> 1. I created a group "group1" in "Assign Group:" in admin console
>>
>> Hi Deepak,
>>
>> just to be sure we are saying that same thing. In step 1, you should
>> configure your realm to assign a group of your choice, e.g., group1,
>> as a side-effect of authentication. As such, every authenticated user,
>> even users who have not yet been added to the realm, are effectively a
>> member of the group.
>>
>>> 2. I created a user "user1" and in the "Group List", i added "group1"
>>> in adminconsole
>>
>>
>> when you create a user, you do not need to add them to the group,
>> because step 1, ensured that the realm will assign the group to all
>> users as a side effect of their successful authentication at the realm.
>>
>>>
>>> Unless i have the following entries in web.xml & sun-web.xml, i will
>>> not be able to login(using FORM authentication as mentioned in my
>>> earlier mail). What i was looking for is a way to allow the users
>>> that is being created to be able to login. i.e if a create a new user
>>> "user2", again i have to update web.xml and sun-web.xml in order for
>>> that user to be authenticated. I want to avoid this.
>>
>>
>> the mapping below is syntactically, correct, but your choice of the
>> name "user1" for the role-name suggests that you expect this role to
>> identify a specific user. given that you have mapped role "user1" to
>> "group1", and given that group1 is assigned to every user by the realm
>> as a side-effect of authentication; then the role you call "user1",
>> represents a role that is mapped to every authenticated user, which is
>> what we refer to as an ANYONE role.
>>
>> I would change the role-name to something like "anyone", or
>> "all-uers", or something that better conveys the nature of the role.
>
> After entering "content" in "Assign Group:", i can create any number of
> users(eg: editor, reviewer, manager). And all these users belong to
> "content" group...right. In order for all those users to be able to be
> authenticated, i need to enter those users in sun-web.xml, is there a
> way to avoid it. I tried using "*" as mentioned below, but it did not
> work..
>
> <security-role-mapping>
> <role-name>*</role-name>
> <group-name>content</group-name>
> </security-role-mapping>
>
> Thanks,
> Deepak
>
>>
>> other than that (and my comment above wrt to 2), what you have seems
>> correct to me.
>>
>> Ron
>>
>>>
>>> web.xml:
>>>
>>> <security-role>
>>> <role-name>user1</role-name>
>>> </security-role>
>>>
>>> sun-web.xml :
>>>
>>> <security-role-mapping>
>>> <role-name>user1</role-name>
>>> <group-name>group1</group-name>
>>> </security-role-mapping>
>>>
>>> Thanks for the help,
>>> Deepak
>>>
>>>> Deepak,
>>>>
>>>> I may not understand your use case, but if you want to configure
>>>> your app so that any authenticated user may access it then please
>>>> take a look at:
>>>>
>>>> http://blogs.sun.com/monzillo/entry/how_to_define_an_anyone
>>>>
>>>> in effect, the above approach ensures that every user is mapped to
>>>> an assigned role, as a side effect of authentication. this role can
>>>> then be used to differentiate any authenticated user (from an
>>>> unathenticated user).
>>>>
>>>> also, if you are willing to "administratively" add users to a group
>>>> as you have done in your example below, then "any user that is
>>>> created should be able to login", if you define your role mapping
>>>> based on a role mapped to that group.
>>>>
>>>> 1. map role to group
>>>>
>>>> 2. either administratively or via "assign-groups" as described (in
>>>> the link above) ensure that every authenticated user is added top
>>>> the group.
>>>>
>>>> 3. use role is security-constraint to protect resources (and force
>>>> login),
>>>>
>>>> Ron
>>>>
>>>> Wouter van Reeven wrote:
>>>>
>>>>> Hi Deepak,
>>>>>
>>>>>
>>>>> As far as I am aware this is not possible. However, if someone
>>>>> knows a way
>>>>> around this I'll be interested as well.
>>>>>
>>>>>
>>>>> Greets, Wouter van Reeven
>>>>>
>>>>> On Thu, Jan 24, 2008 at 06:20:39PM +0530, Deepak Gothe wrote:
>>>>>
>>>>>> Hi,
>>>>>> I have a question regarding providing access to a user created in
>>>>>> admin-realm using Glassfish admin console. Following are the steps
>>>>>> that i performed..
>>>>>>
>>>>>> 1. Create a user with user id as "deepak" and Group List as
>>>>>> "group1" in admin-realm using the admin console
>>>>>>
>>>>>> 2. Add the following in the web.xml
>>>>>>
>>>>>> <security-constraint>
>>>>>> <web-resource-collection>
>>>>>> <web-resource-name>SecureResource</web-resource-name>
>>>>>> <url-pattern>/authorized</url-pattern>
>>>>>> <http-method>GET</http-method>
>>>>>> <http-method>POST</http-method>
>>>>>> </web-resource-collection>
>>>>>> <auth-constraint>
>>>>>> <role-name>*</role-name>
>>>>>> </auth-constraint>
>>>>>> <user-data-constraint>
>>>>>> <transport-guarantee>NONE</transport-guarantee>
>>>>>> </user-data-constraint>
>>>>>> </security-constraint>
>>>>>>
>>>>>> <login-config>
>>>>>> <auth-method>FORM</auth-method>
>>>>>> <realm-name>admin-realm</realm-name>
>>>>>> <form-login-config>
>>>>>> <form-login-page>/login.jsp</form-login-page>
>>>>>> <form-error-page>/error.jsp</form-error-page>
>>>>>> </form-login-config>
>>>>>> </login-config>
>>>>>>
>>>>>> <security-role>
>>>>>> <role-name>deepak</role-name>
>>>>>> </security-role>
>>>>>>
>>>>>> 3. Add the following in the sun-web.xml
>>>>>>
>>>>>> <security-role-mapping>
>>>>>> <role-name>deepak</role-name>
>>>>>> <group-name>group1</group-name>
>>>>>> </security-role-mapping>
>>>>>>
>>>>>>
>>>>>> login.jsp is the form that use j_security_check. After the above
>>>>>> changes I can login as user "deepak". Now if I create a new user
>>>>>> say "user1" in the group "group2" and want that user to login, I
>>>>>> need to modify both web.xml and sun-web.xml. This is not
>>>>>> desirable. Once i deploy the webapp, any user that is created
>>>>>> should be able to login. Is there a way to achieve this. This is
>>>>>> needed to implement "isUserInRole" functionality in OpenPortal
>>>>>> Portlet Container Driver.
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Deepak
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>