Hi,
I am accessing the user principal and checking the roles in a servlet filter as follows:
System.out.println("User is '" + httpRequest.getUserPrincipal() + "'");
for (String group: new String[]{ "group1", "group2", "group3" }) {
System.out.println(" User is in group " + group + ": " + httpRequest.isUserInRole(group));
}
In this case I see that the user is ok but it does not belong to any of the groups (the user actually belongs to all three).
Now, when I modify the security constraint in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>AllowEveryone</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
and change role-name to 'group1' I see that the user is allowed to view pages guarded by the constraint. When I change the role-name to 'unknowngroup' I see the user is not allowed to view these pages. Also, using role-name '*' (the original) also does not allow access to the page which, I think, is incorrect.
In other words, it appears as though security is setup properly but isUserInRole() apparently does not work properly in the servlet filter. Also it looks like there is a problem with the interpretation of the role-name '*' in the web.xml.
Do you have the same problem?
Cheers
Erik
PS. Apart from this I want to access the authenticated JAAS subject because I need that. Is there a way to access that in glassfish?
</security-constraint>
[Message sent by forum member 'erikengerd' (erikengerd)]
http://forums.java.net/jive/thread.jspa?messageID=245853