Deepak Gothe wrote:
> Ron,
> Thanks. I think i used the words user and role interchangeably adding
> to confusion. comments inline..
>
> Ron Monzillo wrote:
>
>> Deepak,
>>
>> I think there may be a communication problem. I may not undestand the
>> problem, so let's start over.
>>
>> If you are trying to define a role that can be used to to
>> differentiate any authententicated user from unauthenticated users,
>> then you need to do 4 things.
>>
>> 1. create a security-role in web.xml, call it "Anyone"
>>
>> <security-role>
>> <role-name>Anyone</role-name>
>> </security-role>
>>
>> 2. create a security-constraint (in web.xml) containing an
>> auth-constraint that permits access to the Anyone role .
>>
>> security-constraint>
>> <web-resource-collection>
>> <web-resource-name>SecureResource</web-resource-name>
>> <url-pattern>/authorized</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>Anyone</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> 3. and add a mapping in sun-web.xml of a group principal "user", to
>> the role "anyone". This means, any caller in group "user" will be
>> mapped to role "Anyone"
>>
>> <security-role-mapping>
>> <role-name>Anyone</role-name>
>> <group-name>user</group-name>
>> </security-role-mapping>
>>
>>
>> 4. do EITHER (but not both) of the following (to ensure that every
>> authenticated called is a member of group user, and this mapped (by 3)
>> to role anyone, and then permitted (by 2) to access the constrained
>> resources. [IMO, 4a is more convenient and you should use it]
>>
>> 4a. use the admin console to configure the realm used by your
>> application , to Assign group "user".
>
> You mean by using Configuration->Security->Realms->admin-realm and
> setting "Assign Group" to "user". Now how to add "Anyone".?
>
Deepak,
This is a little bit of a moving target, It would probably be simplest
if we could communicate using the same values for group and role names,
as I think that is adding to the communication problem.
I don't think I understand your qestion "Now how to add "Anyone".
in the example I gave you, the "user" group becomes a group to whom all
authenticated users belong; when coupled with a mapping of the group to
a role, the role becomes (in effect) an "Anyone" role.
switching to your names, when you configure your admin-realm to assign
group "admin", then any/all user/s who successfully authenticate at the
admin-realm will be in group "admin". If you then map (in sun-web.xml)
group "admin" to your role "asadmin", then " asadmin" becomes (in
effect) an "Anyone" role; that is every user authenticated by the realm
is in role "asadmin" (and unauthenticated users are not in the "asadmin"
role).
> What i did to have "admin" sign in my application:
>
> In admin-realm under "Manage Users", the user id is "admin" and Group
> List is "asadmin". in #1, #2, #3 above, i used admin in place of Anyone
> and asadmin in place of user. With these changes "admin" was able to
> login. I want to do the same thing for any random User Id created via
> "Manage Users" . How can this be possible?.
because you configured the admin-realm to assign the group "admin",
there is nothing more your need to do when you configure an new user
account. Ever user, new or old, who successfully authenticates at the
admin-realm has the "admin" group added to its authentication identity.
Ron
ps: there is only one realm in effect for a Glassfish app (at a time)
>
> Thanks,
> Deepak
>
>>
>> 4b. configure every user account such that the user is a memeber of
>> the "user" group
>>
>> please try the above (and make sure you redeploy your app),
>>
>> Ron
>>
>> Deepak Gothe wrote:
>>
>>> Ron Monzillo wrote:
>>>
>>>> Deepak Gothe wrote:
>>>>
>>>>> Thanks Ron. Looks like the blog may help my usecase, but i am not
>>>>> clear on few things. Some example may help. Let me explain what i did.
>>>>>
>>>>> 1. I created a group "group1" in "Assign Group:" in admin console
>>>>
>>>>
>>>> Hi Deepak,
>>>>
>>>> just to be sure we are saying that same thing. In step 1, you should
>>>> configure your realm to assign a group of your choice, e.g., group1,
>>>> as a side-effect of authentication. As such, every authenticated
>>>> user, even users who have not yet been added to the realm, are
>>>> effectively a member of the group.
>>>>
>>>>> 2. I created a user "user1" and in the "Group List", i added
>>>>> "group1" in adminconsole
>>>>
>>>>
>>>>
>>>> when you create a user, you do not need to add them to the group,
>>>> because step 1, ensured that the realm will assign the group to all
>>>> users as a side effect of their successful authentication at the realm.
>>>>
>>>>>
>>>>> Unless i have the following entries in web.xml & sun-web.xml, i
>>>>> will not be able to login(using FORM authentication as mentioned in
>>>>> my earlier mail). What i was looking for is a way to allow the
>>>>> users that is being created to be able to login. i.e if a create a
>>>>> new user "user2", again i have to update web.xml and sun-web.xml in
>>>>> order for that user to be authenticated. I want to avoid this.
>>>>
>>>>
>>>>
>>>> the mapping below is syntactically, correct, but your choice of the
>>>> name "user1" for the role-name suggests that you expect this role to
>>>> identify a specific user. given that you have mapped role "user1" to
>>>> "group1", and given that group1 is assigned to every user by the
>>>> realm as a side-effect of authentication; then the role you call
>>>> "user1", represents a role that is mapped to every authenticated
>>>> user, which is what we refer to as an ANYONE role.
>>>>
>>>> I would change the role-name to something like "anyone", or
>>>> "all-uers", or something that better conveys the nature of the role.
>>>
>>>
>>> After entering "content" in "Assign Group:", i can create any number
>>> of users(eg: editor, reviewer, manager). And all these users belong
>>> to "content" group...right. In order for all those users to be able
>>> to be authenticated, i need to enter those users in sun-web.xml, is
>>> there a way to avoid it. I tried using "*" as mentioned below, but it
>>> did not work..
>>>
>>> <security-role-mapping>
>>> <role-name>*</role-name>
>>> <group-name>content</group-name>
>>> </security-role-mapping>
>>>
>>> Thanks,
>>> Deepak
>>>
>>>>
>>>> other than that (and my comment above wrt to 2), what you have seems
>>>> correct to me.
>>>>
>>>> Ron
>>>>
>>>>>
>>>>> web.xml:
>>>>>
>>>>> <security-role>
>>>>> <role-name>user1</role-name>
>>>>> </security-role>
>>>>>
>>>>> sun-web.xml :
>>>>>
>>>>> <security-role-mapping>
>>>>> <role-name>user1</role-name>
>>>>> <group-name>group1</group-name>
>>>>> </security-role-mapping>
>>>>>
>>>>> Thanks for the help,
>>>>> Deepak
>>>>>
>>>>>> Deepak,
>>>>>>
>>>>>> I may not understand your use case, but if you want to configure
>>>>>> your app so that any authenticated user may access it then please
>>>>>> take a look at:
>>>>>>
>>>>>> http://blogs.sun.com/monzillo/entry/how_to_define_an_anyone
>>>>>>
>>>>>> in effect, the above approach ensures that every user is mapped to
>>>>>> an assigned role, as a side effect of authentication. this role
>>>>>> can then be used to differentiate any authenticated user (from an
>>>>>> unathenticated user).
>>>>>>
>>>>>> also, if you are willing to "administratively" add users to a
>>>>>> group as you have done in your example below, then "any user that
>>>>>> is created should be able to login", if you define your role
>>>>>> mapping based on a role mapped to that group.
>>>>>>
>>>>>> 1. map role to group
>>>>>>
>>>>>> 2. either administratively or via "assign-groups" as described (in
>>>>>> the link above) ensure that every authenticated user is added top
>>>>>> the group.
>>>>>>
>>>>>> 3. use role is security-constraint to protect resources (and force
>>>>>> login),
>>>>>>
>>>>>> Ron
>>>>>>
>>>>>> Wouter van Reeven wrote:
>>>>>>
>>>>>>> Hi Deepak,
>>>>>>>
>>>>>>>
>>>>>>> As far as I am aware this is not possible. However, if someone
>>>>>>> knows a way
>>>>>>> around this I'll be interested as well.
>>>>>>>
>>>>>>>
>>>>>>> Greets, Wouter van Reeven
>>>>>>>
>>>>>>> On Thu, Jan 24, 2008 at 06:20:39PM +0530, Deepak Gothe wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>> I have a question regarding providing access to a user created
>>>>>>>> in admin-realm using Glassfish admin console. Following are the
>>>>>>>> steps that i performed..
>>>>>>>>
>>>>>>>> 1. Create a user with user id as "deepak" and Group List as
>>>>>>>> "group1" in admin-realm using the admin console
>>>>>>>>
>>>>>>>> 2. Add the following in the web.xml
>>>>>>>>
>>>>>>>> <security-constraint>
>>>>>>>> <web-resource-collection>
>>>>>>>> <web-resource-name>SecureResource</web-resource-name>
>>>>>>>> <url-pattern>/authorized</url-pattern>
>>>>>>>> <http-method>GET</http-method>
>>>>>>>> <http-method>POST</http-method>
>>>>>>>> </web-resource-collection>
>>>>>>>> <auth-constraint>
>>>>>>>> <role-name>*</role-name>
>>>>>>>> </auth-constraint>
>>>>>>>> <user-data-constraint>
>>>>>>>> <transport-guarantee>NONE</transport-guarantee>
>>>>>>>> </user-data-constraint>
>>>>>>>> </security-constraint>
>>>>>>>>
>>>>>>>> <login-config>
>>>>>>>> <auth-method>FORM</auth-method>
>>>>>>>> <realm-name>admin-realm</realm-name>
>>>>>>>> <form-login-config>
>>>>>>>> <form-login-page>/login.jsp</form-login-page>
>>>>>>>> <form-error-page>/error.jsp</form-error-page>
>>>>>>>> </form-login-config>
>>>>>>>> </login-config>
>>>>>>>>
>>>>>>>> <security-role>
>>>>>>>> <role-name>deepak</role-name>
>>>>>>>> </security-role>
>>>>>>>>
>>>>>>>> 3. Add the following in the sun-web.xml
>>>>>>>>
>>>>>>>> <security-role-mapping>
>>>>>>>> <role-name>deepak</role-name>
>>>>>>>> <group-name>group1</group-name>
>>>>>>>> </security-role-mapping>
>>>>>>>>
>>>>>>>>
>>>>>>>> login.jsp is the form that use j_security_check. After the above
>>>>>>>> changes I can login as user "deepak". Now if I create a new user
>>>>>>>> say "user1" in the group "group2" and want that user to login, I
>>>>>>>> need to modify both web.xml and sun-web.xml. This is not
>>>>>>>> desirable. Once i deploy the webapp, any user that is created
>>>>>>>> should be able to login. Is there a way to achieve this. This is
>>>>>>>> needed to implement "isUserInRole" functionality in OpenPortal
>>>>>>>> Portlet Container Driver.
>>>>>>>>
>>>>>>>> Thanks in advance,
>>>>>>>> Deepak
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>
>>>>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>