'j_security_check, jaas, container managed security, login to tomcat'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       geronimo-user
Subject:    j_security_check, jaas, container managed security, login to tomcat
From:       rbaumhof <ralf.baumhof () web ! de>
Date:       2010-06-25 9:51:54
Message-ID: 1277459514550-921719.post () n3 ! nabble ! com
[Download RAW message or body]


Hello, 

2 years ago i dealed with the same problem and solved it by writing an own
filter which performs security checks an forces login. Now i am testing
again the standard servlet form based authentication with j_security_check
action. This works on the tomcat web container, but the ejb container always
return Unauthenticated and isUserInRole()=true.

Examples:
1.) before login, faces thinks there is no user logged in (what is right) -
but in EJB, isUserInRole=true
$$faces.AuthType=null
$$faces.RemoteUser=null
$$rolle SystemManager=false
$$EJB principal in UserManagerImpl::selectUser=Unauthenticated
$$EJB: rolle SystemManager=true


2.) after login of the rigth user, faces knows about this, and knows the
role - but in EJB, same reaction
$$faces.AuthType=FORM
$$faces.RemoteUser=system
$$rolle SystemManager=true
$$EJB principal in UserManagerImpl::selectUser=Unauthenticated
$$EJB: rolle SystemManager=true

3.) after login of the wrong user, faces knows about this, and knows the
role - but in EJB, same reaction
$$faces.AuthType=FORM
$$faces.RemoteUser=no-admin
$$rolle SystemManager=false
$$EJB principal in UserManagerImpl::selectUser=Unauthenticated
$$EJB: rolle SystemManager=true

this is my configuration
1.) in web.xml:

	 <security-constraint>
		<web-resource-collection>
			<web-resource-name>Admin page</web-resource-name>
			<url-pattern>/pages/admin/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>SystemManager</role-name>
		</auth-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>v-db-sha256</realm-name>
		<form-login-config>
			<form-login-page>/pages/login1.jsf</form-login-page>
			<form-error-page>/allg/loginErr.jsp</form-error-page>
		</form-login-config>
	</login-config>
	
	<security-role>
		<description>
			Role required to see admin pages.
		</description>
		<role-name>SystemManager</role-name>
	</security-role>
 

in geronimo-web.xml:
	<security-realm-name>vesuv-db-sha256</security-realm-name>
  
by the way: we are using Geronimo 2.1.4 with jdk 1.5, update 20. The problem
is the same on Windows and Linux.



-- 
View this message in context: \
http://apache-geronimo.328035.n3.nabble.com/j-security-check-jaas-container-managed-security-login-to-tomcat-is-not-forwarde-to-ejb-container-tp921719p921719.html
 Sent from the Users mailing list archive at Nabble.com.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic