isUserInRole and non secured pages
paszti May 13, 2004 4:43 PMHi all,
I use the 3.2.3 release.
In my web application there are some secured and non secured pages.
I experienced that the request.isUserInRole() function doesn't work if there is a forwarding from a secured jsp page to a public one.
I made a little example based on the jaas howto tutorial:
WEB.XML:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <!-- ### Security --> <security-constraint> <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <url-pattern>/secured.jsp</url-pattern> <url-pattern>/securedTest.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Echo</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JAAS Tutorial Servlets</realm-name> </login-config> <security-role> <description>A user allowed to invoke echo methods</description> <role-name>Echo</role-name> </security-role> <security-role> <description>A user with no permissions</description> <role-name>nobody</role-name> </security-role> </web-app>
secured.jsp:
<%if (request.isUserInRole( "Echo")) {%> <h1>member of a role</h1> <%} else {%> <h1>NOT member of a role</h1> <%}%> <a href="/SecurityWeb/securedTest.jsp">Link to a secured page</a><br/> <a href="/SecurityWeb/test.jsp">Link to a public page</a>
securedTest.jsp:
<html> <body> <%if (request.isUserInRole( "Echo")) {%> <h1>member of a role</h1> <%} else {%> <h1>NOT member of a role</h1> <%}%> </body> </html>
test.jsp:
<html> <body> <%if (request.isUserInRole( "Echo")) {%> <h1>member of a role</h1> <%} else {%> <h1>NOT member of a role</h1> <%}%> </body> </html>
The securedTest.jsp and test.jsp are the same, the only defference is that the
securedTest.jsp is listed under the security-constraint.
Having tried the http://.............../secure.jsp and logging in succesfully
I can see the "member of a role" text and clicking to the "Link to a secured page"
link the text remains the same.
BUT clicking to the "Link to a public page" link the "NOT member of a role" text
appears in the browser.
How could I preserve the roles during my navigation between secured and non secured pages?
Is there a standard method or is this a bug?
Thanks for your reply in advance.
Tibor