users@glassfish.java.net

Role mapping issues with Glassfish 3.1.1

From: <forums_at_java.net>
Date: Fri, 2 Sep 2011 10:44:22 -0500 (CDT)

 Hello,

I have some trouble to understand how to setup security in glassfish 3.1.1

 

I am using declarative security, so an url requires "user" priviledges to
access to it.

I am using the predifined file realm  and I have added a user in this realm

I have checked "Default Principal To Role Mapping" and in the "Assign
Groups:" part of file realm, I have added "user"

 

I expected to have all users defined in the realm to be part of group "user"
and, thanks to default principal to role mapping, I expect them to have user
role also.

Unfortunately with this configuration autentication attempt give me http 403

 

Then I tried to add "user" in group list of my user and attempt again to
login, it fails again with 403.

 

Issue 1:

it seems "Default Principal To Role Mapping" option does not automatically
map groups into roles

 

Then I added in my WAR the attached glassfish-web.xml that maps user group in
user role, redeploy my application, then authentication works as expected.

My user has the user role (My servlet print result of
HttpServletRequest.isUserInRole("user") )

 

I tryed also to add group "admin" to my user, then try to authenticate, it
succeds, but my user hasn't the role admin granted, even with the role
mapping defined in glassfish-web.xml

 

Issue 2:

It seems that it is not possible to write some codes based on programmatic
security, the user is part of the group admin, so it should have admin role
according to role mapping, so 

HttpServletRequest.isUserInRole("admin") should return true.

 

I have attached a simple web app I manage to have working on Tomcat, Jetty,
JBoss, Geronimo, Glassfish is the only app server where it does not fully
work. I need this use case because I'm using dynamic roles that can be
unknown at deployment time and I do not want to redeploy the application each
time a new role is added.

the application url is http://localhost:8080/secu/hello, it prints result for
isUSerInRole("user") and isUserInRole("admin"), I also attached
glassfish-web.xml I used when default principal to role mapping attempt was
failing

(the war and wml is in secu.zip)

So is there any way to configure Glassfish to automatically map groups into
roles, in order to have security working without glassfish-web.xml ?

Is there any way to grant roles non statically declared in web.xml ?

 

Many thanks for your help.

Regards

Arnaud

 


--
[Message sent by forum member 'amergey']
View Post: http://forums.java.net/node/839637