dev@glassfish.java.net

Re: Providing login access to user created in admin-realm

From: Deepak Gothe <Deepak.Gothe_at_Sun.COM>
Date: Mon, 28 Jan 2008 22:26:26 +0530

Ron,
  Thanks. I think i used the words user and role interchangeably adding
to confusion. comments inline..

Ron Monzillo wrote:
> Deepak,
>
> I think there may be a communication problem. I may not undestand the
> problem, so let's start over.
>
> If you are trying to define a role that can be used to to
> differentiate any authententicated user from unauthenticated users,
> then you need to do 4 things.
>
> 1. create a security-role in web.xml, call it "Anyone"
>
> <security-role>
> <role-name>Anyone</role-name>
> </security-role>
>
> 2. create a security-constraint (in web.xml) containing an
> auth-constraint that permits access to the Anyone role .
>
> security-constraint>
> <web-resource-collection>
> <web-resource-name>SecureResource</web-resource-name>
> <url-pattern>/authorized</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>Anyone</role-name>
> </auth-constraint>
> </security-constraint>
>
> 3. and add a mapping in sun-web.xml of a group principal "user", to
> the role "anyone". This means, any caller in group "user" will be
> mapped to role "Anyone"
>
> <security-role-mapping>
> <role-name>Anyone</role-name>
> <group-name>user</group-name>
> </security-role-mapping>
>
>
> 4. do EITHER (but not both) of the following (to ensure that every
> authenticated called is a member of group user, and this mapped (by 3)
> to role anyone, and then permitted (by 2) to access the constrained
> resources. [IMO, 4a is more convenient and you should use it]
>
> 4a. use the admin console to configure the realm used by your
> application , to Assign group "user".
You mean by using Configuration->Security->Realms->admin-realm and
setting "Assign Group" to "user". Now how to add "Anyone".?

What i did to have "admin" sign in my application:

In admin-realm under "Manage Users", the user id is "admin" and Group
List is "asadmin". in #1, #2, #3 above, i used admin in place of Anyone
and asadmin in place of user. With these changes "admin" was able to
login. I want to do the same thing for any random User Id created via
"Manage Users" . How can this be possible?.

Thanks,
Deepak

>
> 4b. configure every user account such that the user is a memeber of
> the "user" group
>
> please try the above (and make sure you redeploy your app),
>
> Ron
>
> Deepak Gothe wrote:
>> Ron Monzillo wrote:
>>
>>> Deepak Gothe wrote:
>>>
>>>> Thanks Ron. Looks like the blog may help my usecase, but i am not
>>>> clear on few things. Some example may help. Let me explain what i did.
>>>>
>>>> 1. I created a group "group1" in "Assign Group:" in admin console
>>>
>>> Hi Deepak,
>>>
>>> just to be sure we are saying that same thing. In step 1, you should
>>> configure your realm to assign a group of your choice, e.g., group1,
>>> as a side-effect of authentication. As such, every authenticated
>>> user, even users who have not yet been added to the realm, are
>>> effectively a member of the group.
>>>
>>>> 2. I created a user "user1" and in the "Group List", i added
>>>> "group1" in adminconsole
>>>
>>>
>>> when you create a user, you do not need to add them to the group,
>>> because step 1, ensured that the realm will assign the group to all
>>> users as a side effect of their successful authentication at the realm.
>>>
>>>>
>>>> Unless i have the following entries in web.xml & sun-web.xml, i
>>>> will not be able to login(using FORM authentication as mentioned in
>>>> my earlier mail). What i was looking for is a way to allow the
>>>> users that is being created to be able to login. i.e if a create a
>>>> new user "user2", again i have to update web.xml and sun-web.xml in
>>>> order for that user to be authenticated. I want to avoid this.
>>>
>>>
>>> the mapping below is syntactically, correct, but your choice of the
>>> name "user1" for the role-name suggests that you expect this role to
>>> identify a specific user. given that you have mapped role "user1" to
>>> "group1", and given that group1 is assigned to every user by the
>>> realm as a side-effect of authentication; then the role you call
>>> "user1", represents a role that is mapped to every authenticated
>>> user, which is what we refer to as an ANYONE role.
>>>
>>> I would change the role-name to something like "anyone", or
>>> "all-uers", or something that better conveys the nature of the role.
>>
>> After entering "content" in "Assign Group:", i can create any number
>> of users(eg: editor, reviewer, manager). And all these users belong
>> to "content" group...right. In order for all those users to be able
>> to be authenticated, i need to enter those users in sun-web.xml, is
>> there a way to avoid it. I tried using "*" as mentioned below, but it
>> did not work..
>>
>> <security-role-mapping>
>> <role-name>*</role-name>
>> <group-name>content</group-name>
>> </security-role-mapping>
>>
>> Thanks,
>> Deepak
>>
>>>
>>> other than that (and my comment above wrt to 2), what you have seems
>>> correct to me.
>>>
>>> Ron
>>>
>>>>
>>>> web.xml:
>>>>
>>>> <security-role>
>>>> <role-name>user1</role-name>
>>>> </security-role>
>>>>
>>>> sun-web.xml :
>>>>
>>>> <security-role-mapping>
>>>> <role-name>user1</role-name>
>>>> <group-name>group1</group-name>
>>>> </security-role-mapping>
>>>>
>>>> Thanks for the help,
>>>> Deepak
>>>>
>>>>> Deepak,
>>>>>
>>>>> I may not understand your use case, but if you want to configure
>>>>> your app so that any authenticated user may access it then please
>>>>> take a look at:
>>>>>
>>>>> http://blogs.sun.com/monzillo/entry/how_to_define_an_anyone
>>>>>
>>>>> in effect, the above approach ensures that every user is mapped to
>>>>> an assigned role, as a side effect of authentication. this role
>>>>> can then be used to differentiate any authenticated user (from an
>>>>> unathenticated user).
>>>>>
>>>>> also, if you are willing to "administratively" add users to a
>>>>> group as you have done in your example below, then "any user that
>>>>> is created should be able to login", if you define your role
>>>>> mapping based on a role mapped to that group.
>>>>>
>>>>> 1. map role to group
>>>>>
>>>>> 2. either administratively or via "assign-groups" as described (in
>>>>> the link above) ensure that every authenticated user is added top
>>>>> the group.
>>>>>
>>>>> 3. use role is security-constraint to protect resources (and force
>>>>> login),
>>>>>
>>>>> Ron
>>>>>
>>>>> Wouter van Reeven wrote:
>>>>>
>>>>>> Hi Deepak,
>>>>>>
>>>>>>
>>>>>> As far as I am aware this is not possible. However, if someone
>>>>>> knows a way
>>>>>> around this I'll be interested as well.
>>>>>>
>>>>>>
>>>>>> Greets, Wouter van Reeven
>>>>>>
>>>>>> On Thu, Jan 24, 2008 at 06:20:39PM +0530, Deepak Gothe wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>> I have a question regarding providing access to a user created
>>>>>>> in admin-realm using Glassfish admin console. Following are the
>>>>>>> steps that i performed..
>>>>>>>
>>>>>>> 1. Create a user with user id as "deepak" and Group List as
>>>>>>> "group1" in admin-realm using the admin console
>>>>>>>
>>>>>>> 2. Add the following in the web.xml
>>>>>>>
>>>>>>> <security-constraint>
>>>>>>> <web-resource-collection>
>>>>>>> <web-resource-name>SecureResource</web-resource-name>
>>>>>>> <url-pattern>/authorized</url-pattern>
>>>>>>> <http-method>GET</http-method>
>>>>>>> <http-method>POST</http-method>
>>>>>>> </web-resource-collection>
>>>>>>> <auth-constraint>
>>>>>>> <role-name>*</role-name>
>>>>>>> </auth-constraint>
>>>>>>> <user-data-constraint>
>>>>>>> <transport-guarantee>NONE</transport-guarantee>
>>>>>>> </user-data-constraint>
>>>>>>> </security-constraint>
>>>>>>>
>>>>>>> <login-config>
>>>>>>> <auth-method>FORM</auth-method>
>>>>>>> <realm-name>admin-realm</realm-name>
>>>>>>> <form-login-config>
>>>>>>> <form-login-page>/login.jsp</form-login-page>
>>>>>>> <form-error-page>/error.jsp</form-error-page>
>>>>>>> </form-login-config>
>>>>>>> </login-config>
>>>>>>>
>>>>>>> <security-role>
>>>>>>> <role-name>deepak</role-name>
>>>>>>> </security-role>
>>>>>>>
>>>>>>> 3. Add the following in the sun-web.xml
>>>>>>>
>>>>>>> <security-role-mapping>
>>>>>>> <role-name>deepak</role-name>
>>>>>>> <group-name>group1</group-name>
>>>>>>> </security-role-mapping>
>>>>>>>
>>>>>>>
>>>>>>> login.jsp is the form that use j_security_check. After the above
>>>>>>> changes I can login as user "deepak". Now if I create a new user
>>>>>>> say "user1" in the group "group2" and want that user to login, I
>>>>>>> need to modify both web.xml and sun-web.xml. This is not
>>>>>>> desirable. Once i deploy the webapp, any user that is created
>>>>>>> should be able to login. Is there a way to achieve this. This is
>>>>>>> needed to implement "isUserInRole" functionality in OpenPortal
>>>>>>> Portlet Container Driver.
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>> Deepak
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>>
>>>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>