On 02-Sep-2011, at 9:14 PM, forums_at_java.net wrote:
> Hello,
>
> I have some trouble to understand how to setup security in glassfish 3.1.1
>
>
>
> I am using declarative security, so an url requires "user" priviledges to
> access to it.
>
> I am using the predifined file realm and I have added a user in this realm
>
> I have checked "Default Principal To Role Mapping" and in the "Assign
> Groups:" part of file realm, I have added "user"
Not preferable
>
>
>
> I expected to have all users defined in the realm to be part of group "user"
> and, thanks to default principal to role mapping, I expect them to have user
> role also.
>
> Unfortunately with this configuration autentication attempt give me http 403
>
>
>
> Then I tried to add "user" in group list of my user
better this way.
> and attempt again to
> login, it fails again with 403.
>
Not sure why...
>
>
> Issue 1:
>
> it seems "Default Principal To Role Mapping" option does not automatically
> map groups into roles
>
>
that is the purpose of default P2R and i am just activated default P2R from the GUI, restarted glassfish and deployed your app and tried to access the App.
It asks for username/password and when i give it i see this :
Hello test
Are you user ? YES
Are you admin ? NO
So it seems to work for me.
Please make sure you completely undeploy ur app (make sure domains/domain1/generated/policy/secu is removed).
Enable Default P2R
Restart GF
Deploy your app.
Here is how the policy generated (granted.policy) should look like :
-----------
grant {
permission javax.security.jacc.WebResourcePermission "/:/hello";
permission javax.security.jacc.WebUserDataPermission "/hello";
permission javax.security.jacc.WebUserDataPermission "/:/hello";
};
grant principal org.glassfish.security.common.Group "user" {
permission javax.security.jacc.WebResourcePermission "/hello";
permission javax.security.jacc.WebRoleRefPermission "jsp", "user";
permission javax.security.jacc.WebRoleRefPermission "default", "user";
permission javax.security.jacc.WebRoleRefPermission "hello", "user";
permission javax.security.jacc.WebRoleRefPermission "", "user";
};
-----------
>
> Then I added in my WAR the attached glassfish-web.xml that maps user group in
> user role, redeploy my application, then authentication works as expected.
>
> My user has the user role (My servlet print result of
> HttpServletRequest.isUserInRole("user") )
>
>
>
> I tryed also to add group "admin" to my user, then try to authenticate, it
> succeds, but my user hasn't the role admin granted, even with the role
> mapping defined in glassfish-web.xml
>
>
>
> Issue 2:
>
> It seems that it is not possible to write some codes based on programmatic
> security, the user is part of the group admin, so it should have admin role
> according to role mapping, so
>
> HttpServletRequest.isUserInRole("admin") should return true.
>
>
>
> I have attached a simple web app I manage to have working on Tomcat, Jetty,
> JBoss, Geronimo, Glassfish is the only app server where it does not fully
> work. I need this use case because I'm using dynamic roles that can be
> unknown at deployment time and I do not want to redeploy the application each
> time a new role is added.
>
> the application url is http://localhost:8080/secu/hello, it prints result for
> isUSerInRole("user") and isUserInRole("admin"), I also attached
> glassfish-web.xml I used when default principal to role mapping attempt was
> failing
>
> (the war and wml is in secu.zip)
>
> So is there any way to configure Glassfish to automatically map groups into
> roles, in order to have security working without glassfish-web.xml ?
>
> Is there any way to grant roles non statically declared in web.xml ?
>
>
Even after default P2R you would still need to have the roles declared in web.xml, only then the policy generation would know what policy to generate.
But there is an alternate Authorization Provider that provides the ability to create a custom RoleMapper. See here :
http://blogs.oracle.com/monzillo/entry/prelude_includes_portable_in_memory
>
> Many thanks for your help.
>
> Regards
>
> Arnaud
>
>
>
>
> --
>
> [Message sent by forum member 'amergey']
>
> View Post: http://forums.java.net/node/839637
>
>
>
> <secu.zip>