Ron,
Thanks for the all the help. Now i am clear. This will help me in
implementing the isUserInRole in OpenPortal Portlet Container.
Regards,
Deepak
Ron Monzillo wrote:
> Deepak Gothe wrote:
>> Ron,
>> Thanks. I think i used the words user and role interchangeably
>> adding to confusion. comments inline..
>>
>> Ron Monzillo wrote:
>>
>>> Deepak,
>>>
>>> I think there may be a communication problem. I may not undestand
>>> the problem, so let's start over.
>>>
>>> If you are trying to define a role that can be used to to
>>> differentiate any authententicated user from unauthenticated users,
>>> then you need to do 4 things.
>>>
>>> 1. create a security-role in web.xml, call it "Anyone"
>>>
>>> <security-role>
>>> <role-name>Anyone</role-name>
>>> </security-role>
>>>
>>> 2. create a security-constraint (in web.xml) containing an
>>> auth-constraint that permits access to the Anyone role .
>>>
>>> security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>SecureResource</web-resource-name>
>>> <url-pattern>/authorized</url-pattern>
>>> <http-method>GET</http-method>
>>> <http-method>POST</http-method>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>Anyone</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> 3. and add a mapping in sun-web.xml of a group principal "user", to
>>> the role "anyone". This means, any caller in group "user" will be
>>> mapped to role "Anyone"
>>>
>>> <security-role-mapping>
>>> <role-name>Anyone</role-name>
>>> <group-name>user</group-name>
>>> </security-role-mapping>
>>>
>>>
>>> 4. do EITHER (but not both) of the following (to ensure that every
>>> authenticated called is a member of group user, and this mapped (by
>>> 3) to role anyone, and then permitted (by 2) to access the
>>> constrained resources. [IMO, 4a is more convenient and you should
>>> use it]
>>>
>>> 4a. use the admin console to configure the realm used by your
>>> application , to Assign group "user".
>>
>> You mean by using Configuration->Security->Realms->admin-realm and
>> setting "Assign Group" to "user". Now how to add "Anyone".?
>>
> Deepak,
>
> This is a little bit of a moving target, It would probably be simplest
> if we could communicate using the same values for group and role
> names, as I think that is adding to the communication problem.
>
> I don't think I understand your qestion "Now how to add "Anyone".
> in the example I gave you, the "user" group becomes a group to whom
> all authenticated users belong; when coupled with a mapping of the
> group to a role, the role becomes (in effect) an "Anyone" role.
>
> switching to your names, when you configure your admin-realm to assign
> group "admin", then any/all user/s who successfully authenticate at
> the admin-realm will be in group "admin". If you then map (in
> sun-web.xml) group "admin" to your role "asadmin", then " asadmin"
> becomes (in effect) an "Anyone" role; that is every user authenticated
> by the realm is in role "asadmin" (and unauthenticated users are not
> in the "asadmin" role).
>
>> What i did to have "admin" sign in my application:
>>
>> In admin-realm under "Manage Users", the user id is "admin" and Group
>> List is "asadmin". in #1, #2, #3 above, i used admin in place of
>> Anyone and asadmin in place of user. With these changes "admin" was
>> able to login. I want to do the same thing for any random User Id
>> created via "Manage Users" . How can this be possible?.
>
> because you configured the admin-realm to assign the group "admin",
> there is nothing more your need to do when you configure an new user
> account. Ever user, new or old, who successfully authenticates at the
> admin-realm has the "admin" group added to its authentication identity.
>
> Ron
>
> ps: there is only one realm in effect for a Glassfish app (at a time)
>
>>
>> Thanks,
>> Deepak
>>
>>>
>>> 4b. configure every user account such that the user is a memeber of
>>> the "user" group
>>>
>>> please try the above (and make sure you redeploy your app),
>>>
>>> Ron
>>>
>>> Deepak Gothe wrote:
>>>
>>>> Ron Monzillo wrote:
>>>>
>>>>> Deepak Gothe wrote:
>>>>>
>>>>>> Thanks Ron. Looks like the blog may help my usecase, but i am not
>>>>>> clear on few things. Some example may help. Let me explain what i
>>>>>> did.
>>>>>>
>>>>>> 1. I created a group "group1" in "Assign Group:" in admin console
>>>>>
>>>>>
>>>>> Hi Deepak,
>>>>>
>>>>> just to be sure we are saying that same thing. In step 1, you
>>>>> should configure your realm to assign a group of your choice,
>>>>> e.g., group1, as a side-effect of authentication. As such, every
>>>>> authenticated user, even users who have not yet been added to the
>>>>> realm, are effectively a member of the group.
>>>>>
>>>>>> 2. I created a user "user1" and in the "Group List", i added
>>>>>> "group1" in adminconsole
>>>>>
>>>>>
>>>>>
>>>>> when you create a user, you do not need to add them to the group,
>>>>> because step 1, ensured that the realm will assign the group to
>>>>> all users as a side effect of their successful authentication at
>>>>> the realm.
>>>>>
>>>>>>
>>>>>> Unless i have the following entries in web.xml & sun-web.xml, i
>>>>>> will not be able to login(using FORM authentication as mentioned
>>>>>> in my earlier mail). What i was looking for is a way to allow the
>>>>>> users that is being created to be able to login. i.e if a create
>>>>>> a new user "user2", again i have to update web.xml and
>>>>>> sun-web.xml in order for that user to be authenticated. I want to
>>>>>> avoid this.
>>>>>
>>>>>
>>>>>
>>>>> the mapping below is syntactically, correct, but your choice of
>>>>> the name "user1" for the role-name suggests that you expect this
>>>>> role to identify a specific user. given that you have mapped role
>>>>> "user1" to "group1", and given that group1 is assigned to every
>>>>> user by the realm as a side-effect of authentication; then the
>>>>> role you call "user1", represents a role that is mapped to every
>>>>> authenticated user, which is what we refer to as an ANYONE role.
>>>>>
>>>>> I would change the role-name to something like "anyone", or
>>>>> "all-uers", or something that better conveys the nature of the role.
>>>>
>>>>
>>>> After entering "content" in "Assign Group:", i can create any
>>>> number of users(eg: editor, reviewer, manager). And all these users
>>>> belong to "content" group...right. In order for all those users to
>>>> be able to be authenticated, i need to enter those users in
>>>> sun-web.xml, is there a way to avoid it. I tried using "*" as
>>>> mentioned below, but it did not work..
>>>>
>>>> <security-role-mapping>
>>>> <role-name>*</role-name>
>>>> <group-name>content</group-name>
>>>> </security-role-mapping>
>>>>
>>>> Thanks,
>>>> Deepak
>>>>
>>>>>
>>>>> other than that (and my comment above wrt to 2), what you have
>>>>> seems correct to me.
>>>>>
>>>>> Ron
>>>>>
>>>>>>
>>>>>> web.xml:
>>>>>>
>>>>>> <security-role>
>>>>>> <role-name>user1</role-name>
>>>>>> </security-role>
>>>>>>
>>>>>> sun-web.xml :
>>>>>>
>>>>>> <security-role-mapping>
>>>>>> <role-name>user1</role-name>
>>>>>> <group-name>group1</group-name>
>>>>>> </security-role-mapping>
>>>>>>
>>>>>> Thanks for the help,
>>>>>> Deepak
>>>>>>
>>>>>>> Deepak,
>>>>>>>
>>>>>>> I may not understand your use case, but if you want to configure
>>>>>>> your app so that any authenticated user may access it then
>>>>>>> please take a look at:
>>>>>>>
>>>>>>> http://blogs.sun.com/monzillo/entry/how_to_define_an_anyone
>>>>>>>
>>>>>>> in effect, the above approach ensures that every user is mapped
>>>>>>> to an assigned role, as a side effect of authentication. this
>>>>>>> role can then be used to differentiate any authenticated user
>>>>>>> (from an unathenticated user).
>>>>>>>
>>>>>>> also, if you are willing to "administratively" add users to a
>>>>>>> group as you have done in your example below, then "any user
>>>>>>> that is created should be able to login", if you define your
>>>>>>> role mapping based on a role mapped to that group.
>>>>>>>
>>>>>>> 1. map role to group
>>>>>>>
>>>>>>> 2. either administratively or via "assign-groups" as described
>>>>>>> (in the link above) ensure that every authenticated user is
>>>>>>> added top the group.
>>>>>>>
>>>>>>> 3. use role is security-constraint to protect resources (and
>>>>>>> force login),
>>>>>>>
>>>>>>> Ron
>>>>>>>
>>>>>>> Wouter van Reeven wrote:
>>>>>>>
>>>>>>>> Hi Deepak,
>>>>>>>>
>>>>>>>>
>>>>>>>> As far as I am aware this is not possible. However, if someone
>>>>>>>> knows a way
>>>>>>>> around this I'll be interested as well.
>>>>>>>>
>>>>>>>>
>>>>>>>> Greets, Wouter van Reeven
>>>>>>>>
>>>>>>>> On Thu, Jan 24, 2008 at 06:20:39PM +0530, Deepak Gothe wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>> I have a question regarding providing access to a user
>>>>>>>>> created in admin-realm using Glassfish admin console.
>>>>>>>>> Following are the steps that i performed..
>>>>>>>>>
>>>>>>>>> 1. Create a user with user id as "deepak" and Group List as
>>>>>>>>> "group1" in admin-realm using the admin console
>>>>>>>>>
>>>>>>>>> 2. Add the following in the web.xml
>>>>>>>>>
>>>>>>>>> <security-constraint>
>>>>>>>>> <web-resource-collection>
>>>>>>>>> <web-resource-name>SecureResource</web-resource-name>
>>>>>>>>> <url-pattern>/authorized</url-pattern>
>>>>>>>>> <http-method>GET</http-method>
>>>>>>>>> <http-method>POST</http-method>
>>>>>>>>> </web-resource-collection>
>>>>>>>>> <auth-constraint>
>>>>>>>>> <role-name>*</role-name>
>>>>>>>>> </auth-constraint>
>>>>>>>>> <user-data-constraint>
>>>>>>>>> <transport-guarantee>NONE</transport-guarantee>
>>>>>>>>> </user-data-constraint>
>>>>>>>>> </security-constraint>
>>>>>>>>>
>>>>>>>>> <login-config>
>>>>>>>>> <auth-method>FORM</auth-method>
>>>>>>>>> <realm-name>admin-realm</realm-name>
>>>>>>>>> <form-login-config>
>>>>>>>>> <form-login-page>/login.jsp</form-login-page>
>>>>>>>>> <form-error-page>/error.jsp</form-error-page>
>>>>>>>>> </form-login-config>
>>>>>>>>> </login-config>
>>>>>>>>>
>>>>>>>>> <security-role>
>>>>>>>>> <role-name>deepak</role-name>
>>>>>>>>> </security-role>
>>>>>>>>>
>>>>>>>>> 3. Add the following in the sun-web.xml
>>>>>>>>>
>>>>>>>>> <security-role-mapping>
>>>>>>>>> <role-name>deepak</role-name>
>>>>>>>>> <group-name>group1</group-name>
>>>>>>>>> </security-role-mapping>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> login.jsp is the form that use j_security_check. After the
>>>>>>>>> above changes I can login as user "deepak". Now if I create a
>>>>>>>>> new user say "user1" in the group "group2" and want that user
>>>>>>>>> to login, I need to modify both web.xml and sun-web.xml. This
>>>>>>>>> is not desirable. Once i deploy the webapp, any user that is
>>>>>>>>> created should be able to login. Is there a way to achieve
>>>>>>>>> this. This is needed to implement "isUserInRole" functionality
>>>>>>>>> in OpenPortal Portlet Container Driver.
>>>>>>>>>
>>>>>>>>> Thanks in advance,
>>>>>>>>> Deepak
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>>
>>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>