-
1. Re: Migrating from Weblogic to JBoss : problem with wepapp a
I precise that if in my jboss-web.xml I use a <role-name> which is not declared in a <security-role> of the web.xml, the webapp is not deployed saying there is a mistake in the jboss-web.xml, which is normal.
So, my problem is that utilisateurCollaborateur is not mapped to the <principal-name> I provided.
Is there a debug feature I could turn on to help me find out what's going wrong ? -
2. Re: Migrating from Weblogic to JBoss : problem with wepapp a
the only use of principal-name in the security-role is to assign additional roles to run-as principals. Authenticated users obtain their roles from the jaas login.
-
3. Re: Migrating from Weblogic to JBoss : problem with wepapp a
Hello Scott and thank you for answering,
I think I don't understand the whole thing, though it's clear to me when I use Weblogic. Maybe you can help me to improve my undestanding of jboss, can't you ?
What I understand :
Application developer want to restraitn access to specific URL and so use a <security-constraint> with a <auth-constraint>. From what I understand, the <role-name> of the <auth-constraint> are "logical" roles, ie, roles that as a business sense from the application developer point of view. In my case, the logical role is "utilisateurCollaborateur". For each <role-name> you use in the <auth-constraint>, you have to add a <security-role> in you web.xml
As the application developer is not the application deployer, there has to be a way to do the mapping that says which users have the roles the application developer need to deal with. Actually, I believe the way to do that is the use of jboss-web.xml.
In Jboss-web.xml, for each role you mentioned in the <auth-constraint>, you have to the mapping "role-name" <--> "principal-name", where principal-name is the name of a user or a group you can find in you security realm. You can have several realm users/groups that builds a single role. That allows to avoid spreading application specific groups in the realm that exists anyway. As the realm is managed elsewhere and in it users may belong to specific group (I don't say role here), the whole thing has sense to me, and that's what I understand from the jboss documentation that I read carefully. This allow the application developer to use request.isUserInRole too, using <security-role>, instead of real groups of the db.
If it's not the way it works, can you tell me where I'm wrong ?
I'm looking forward to your answer.
Dom"scott.stark@jboss.org" wrote:
the only use of principal-name in the security-role is to assign additional roles to run-as principals. Authenticated users obtain their roles from the jaas login. -
4. Re: Migrating from Weblogic to JBoss : problem with wepapp a
After many research, I think the answer is here :
http://wiki.jboss.org/wiki/Wiki.jsp?page=PortingFromWeblogic
For weblogic users :
There is a important difference between jboss and weblogic for webapp (and I suppose for EJB too) :
In weblogic : you can map a role to realm groups/users using the weblogic.xml. You can have user "joe" and group "users" that build a single role "theRole" you referenced in your web.xml. This way allows to avoid having "applications" group to be spread in the realm.
In Jboss : the role-name you provide in your web.xml must be the group name you have in your realm (I don't think this word is useable in a jboss world). At the moment, I don't really understand what jboss-web.xml is aimed at concerning these features.
To my mind, it's a little limitation jboss developer could look at.
I hope this post will help former weblogic users
Dom