Sharing the portal security domain with a servlet
engela May 2, 2007 12:15 PMI quite like to share the security domain of the portal with a servlet which is in the same application context as my portlets. (The task of the servlet is to generate some images on-the-fly, but it needs to know the security context as only authenticated and authorized users are allowed to view the generated images).
Looking at the description in http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss I tried the following steps:
1. I moved the portal security domain from the login configuration for the portal (JBOSS_HOME/default/deploy/jboss-portal.sar/conf/data/login-config.xml) to the JBoss AS login configuration JBOSS_HOME/default/conf/login-config.xml).
<application-policy name="portal"> <authentication> <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="password-stacking">useFirstPass</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <!-- my ldap configuration --> </login-module> </authentication> </application-policy>
2. Configured the web.xml in my application context to secure my servlet
<?xml version="1.0"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <servlet> <servlet-name>test</servlet-name> <display-name>test</display-name> <servlet-class>TestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>test</servlet-name> <url-pattern>/test</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/test</url-pattern> </web-resource-collection> <auth-constraint> <role-name>myrole</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>myrole</role-name> </security-role> <security-role> </web-app>
3. Configured the jboss-web.xml in my application context to point the portal security domain
<jboss-web> <security-domain>java:jaas/portal</security-domain> </jboss-web>
The view.jsp of my portlet references the servlet
<%@ taglib uri="http://java.sun.com/portlet" prefix="portlet"%> <%@ page isELIgnored="false"%> <portlet:defineObjects /> <p>Test Portlet Servlet Interaction</p> <iframe src=?my-web-app/test? />
The servlet currently prints out the remote user name (request. getRemoteUser()) and test if the user is in role ?myrole? (request.isUserInRole(?myrole?))
With the security constraint in place I get an HTTP Status 403 - Access to the requested resource has been denied in my iframe. If I remove the security constraint that the ouput in my iframe tells me that the remote user is null and returns false for reques.isUserInRole(?myrole?).
Is it possible that a serlvet shares the same security domain as my portlets? If yes, what am I doing wrong?
Thanks,
Anette