users@glassfish.java.net

Re: login.jsp customized by original target url

From: <glassfish_at_javadesktop.org>
Date: Tue, 15 Apr 2008 12:48:54 PDT

> I don't know how to split this into a new thread or I
> would...,
>
> I wanted to let you know that I've had some initial
> success writing a very simple jsr196 impl that always
> asserts the same Principal and Group on the
> clientSubject.
>
> Even though it is static right now, the group-to-role
> mapping is working in my sample application so that
> my "admin" user in the "admin" group can access
> "admin.jsp" but not "user.jsp"
>
> And... it was even easier than writing a TAI
> implementation.
>
> Really nice!
>
> The only (very slight) wrinkle is that for some
> reason calls to request.isUserInRole( "admin" )
> return false, even though the role based access is
> working. Weird...

not sure why this could be happening.

Take a look at the granted.policy file for your app under domain/domainx/generated/policy/appname, or better yet, attach it to this thread.

look for grants of WebRoleRefPermission. isUserInRole is performed by checking one of these perms. when isUserInRole is called from a jsp, I would not expect there to be a servlet-mapping, and thus there would be no name to identify the scope of the reference.

In this case, the checked permission is created with name = the empty string, and with actions = the value used by the app in the call to isUserInRole.

you should see a "domain that failed" log message in server.policy showing the fialed check of the WebRoleRefPermission.

the combination of the policy file, and the log msg, should give us a pretty good indication of what is going wrong.

Ron
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=269347