5 Replies Latest reply on Apr 18, 2005 7:47 PM by lhoriman

isUserInRole and non secured pages

paszti May 13, 2004 4:43 PM

Hi all,

I use the 3.2.3 release.
In my web application there are some secured and non secured pages.
I experienced that the request.isUserInRole() function doesn't work if there is a forwarding from a secured jsp page to a public one.

I made a little example based on the jaas howto tutorial:

WEB.XML:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

<!-- ### Security -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Restricted</web-resource-name>
 <url-pattern>/secured.jsp</url-pattern>
 <url-pattern>/securedTest.jsp</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>Echo</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>JAAS Tutorial Servlets</realm-name>
 </login-config>

 <security-role>
 <description>A user allowed to invoke echo methods</description>
 <role-name>Echo</role-name>
 </security-role>
 <security-role>
 <description>A user with no permissions</description>
 <role-name>nobody</role-name>
 </security-role>

</web-app>

secured.jsp:

<%if (request.isUserInRole( "Echo")) {%>
 <h1>member of a role</h1>
<%} else {%>
 <h1>NOT member of a role</h1>
<%}%>

<a href="/SecurityWeb/securedTest.jsp">Link to a secured page</a><br/>
<a href="/SecurityWeb/test.jsp">Link to a public page</a>

securedTest.jsp:

<html>
<body>
<%if (request.isUserInRole( "Echo")) {%>
 <h1>member of a role</h1>
<%} else {%>
 <h1>NOT member of a role</h1>
<%}%>
</body>
</html>

test.jsp:

<html>
<body>
<%if (request.isUserInRole( "Echo")) {%>
 <h1>member of a role</h1>
<%} else {%>
 <h1>NOT member of a role</h1>
<%}%>
</body>
</html>

The securedTest.jsp and test.jsp are the same, the only defference is that the
securedTest.jsp is listed under the security-constraint.
Having tried the http://.............../secure.jsp and logging in succesfully
I can see the "member of a role" text and clicking to the "Link to a secured page"
link the text remains the same.

BUT clicking to the "Link to a public page" link the "NOT member of a role" text
appears in the browser.

How could I preserve the roles during my navigation between secured and non secured pages?
Is there a standard method or is this a bug?

Thanks for your reply in advance.

Tibor

1. Re: isUserInRole and non secured pages

spiritualmechanic May 13, 2004 10:43 PM (in response to paszti)

The user/security info isn't propagated to pages that aren't secured. So a request.getUserPrincipal() will return null for those pages.

That's just the way things are, at least in Jetty.
Actions
2. Re: isUserInRole and non secured pages

starksm64 May 14, 2004 10:10 AM (in response to paszti)

Its at best undefined in the servlet spec how the security context created when accessing secured content is propagated to unsecured content. There is no definition that states the security context is a property of the session and that this should be in effect when using getUserPrincipal and isCallerInRole within the session.

The only context in which these methods are guarenteed to be valid is a secured context. You can put the user principal into the session to make it available to unsecured content, but there is no public api to obtain all of the associated roles.

There are jboss specific apis that can be used to query the validity of a previously authenticated callers as well as the authenticated Subject which is a combination of security information.
Actions
3. Re: isUserInRole and non secured pages

lhoriman Apr 17, 2005 7:01 AM (in response to paszti)

"scott.stark@jboss.org" wrote:
Its at best undefined in the servlet spec how the security context created when accessing secured content is propagated to unsecured content. There is no definition that states the security context is a property of the session and that this should be in effect when using getUserPrincipal and isCallerInRole within the session.

If it's not otherwise defined by the spec... can we have JBoss do what's useful?

Jeff
Actions
4. Re: isUserInRole and non secured pages

starksm64 Apr 17, 2005 10:04 AM (in response to paszti)

Create a feature request:
http://jira.jboss.com/jira/browse/JBAS
Actions
5. Re: isUserInRole and non secured pages

lhoriman Apr 18, 2005 7:47 PM (in response to paszti)

"scott.stark@jboss.org" wrote:
Create a feature request:
http://jira.jboss.com/jira/browse/JBAS

Done: http://jira.jboss.com/jira/browse/JBWEB-19

Thanks,
Jeff
Actions

Go to original post