[prev in list] [next in list] [prev in thread] [next in thread]
List: geronimo-user
Subject: j_security_check, jaas, container managed security, login to tomcat
From: rbaumhof <ralf.baumhof () web ! de>
Date: 2010-06-25 9:51:54
Message-ID: 1277459514550-921719.post () n3 ! nabble ! com
[Download RAW message or body]
Hello,
2 years ago i dealed with the same problem and solved it by writing an own
filter which performs security checks an forces login. Now i am testing
again the standard servlet form based authentication with j_security_check
action. This works on the tomcat web container, but the ejb container always
return Unauthenticated and isUserInRole()=true.
Examples:
1.) before login, faces thinks there is no user logged in (what is right) -
but in EJB, isUserInRole=true
$$faces.AuthType=null
$$faces.RemoteUser=null
$$rolle SystemManager=false
$$EJB principal in UserManagerImpl::selectUser=Unauthenticated
$$EJB: rolle SystemManager=true
2.) after login of the rigth user, faces knows about this, and knows the
role - but in EJB, same reaction
$$faces.AuthType=FORM
$$faces.RemoteUser=system
$$rolle SystemManager=true
$$EJB principal in UserManagerImpl::selectUser=Unauthenticated
$$EJB: rolle SystemManager=true
3.) after login of the wrong user, faces knows about this, and knows the
role - but in EJB, same reaction
$$faces.AuthType=FORM
$$faces.RemoteUser=no-admin
$$rolle SystemManager=false
$$EJB principal in UserManagerImpl::selectUser=Unauthenticated
$$EJB: rolle SystemManager=true
this is my configuration
1.) in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin page</web-resource-name>
<url-pattern>/pages/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SystemManager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>v-db-sha256</realm-name>
<form-login-config>
<form-login-page>/pages/login1.jsf</form-login-page>
<form-error-page>/allg/loginErr.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
Role required to see admin pages.
</description>
<role-name>SystemManager</role-name>
</security-role>
in geronimo-web.xml:
<security-realm-name>vesuv-db-sha256</security-realm-name>
by the way: we are using Geronimo 2.1.4 with jdk 1.5, update 20. The problem
is the same on Windows and Linux.
--
View this message in context: \
http://apache-geronimo.328035.n3.nabble.com/j-security-check-jaas-container-managed-security-login-to-tomcat-is-not-forwarde-to-ejb-container-tp921719p921719.html
Sent from the Users mailing list archive at Nabble.com.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic