1 Reply Latest reply on May 5, 2010 3:10 AM by djeanprost

    Problem using role mapping provider and SSOValve

    djeanprost
    djeanprost May 3, 2010 5:22 AM

      Hello,

       

      I'm currently migrating many applications from weblogic 8 to jboss 5.1.

      In order to get weblogic feature of role mapping (ie : in weblogic.xml, you can provide a mapping of role), I developped a mapping-module, which adds roles to the user using the jboss-web.xml.

       

      Mapping module declaration :

       

      <application-policy name = "sofaxisRealm">

             <authentication>

                <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"

                   flag = "required">

                   <module-option name = "unauthenticatedIdentity">guest</module-option>

                   <module-option name = "dsJndiName">java:/authenticationDS</module-option>

                   <module-option name = "principalsQuery">SELECT password FROM utilisateur WHERE login=?</module-option>

                   <module-option name = "rolesQuery">SELECT groupe, 'Roles' FROM groupe WHERE membre=?</module-option>

                </login-module>

             </authentication>

         <mapping>

      <mapping-module code="com.dexia.sofaxis.security.mapping.providers.DeploymentRolesMappingProvider" type="role"/>

      </mapping>

          </application-policy>

       

       

       

       

      This mapping module adds role to the connected user. For instance :

       

      in my jboss-web.xml

      <security-role>
      <role-name>utilisateurDeclaration</role-name>
      <principal-name>declarationAbsenteismeIntranet</principal-name>
      <principal-name>administrateur</principal-name>
      </security-role>
      That means : every user having the declarationAbsenteismeIntranet group coming from realm will now have the added role utilisateurDeclaration.
      In my web.xml, I uses the added role as a security constraint to gaini access to my webapp.
      I tested this and it works well : I can access to my webapp, using the mapping.
      The problem appears when I try to use the SSO valve, defined in jboss-web's server.xml.
      To reproduce, I need 2 webapps, using the same realm.
      Please look at log.txt, where everything is traced.
      1. Access to 1st webapp. Authentication page is the displayed. Authentication is done, role mapping is done, and I get access.
      2. Using the same window/tab of my webbrowser, I now want to access another webapp. Authentication is not done because I'm already authenticated. Role mapping is done, But authorization process is done using previous mapping (got in step 1), not the last one. My user then doesn't have the role, and doesn't get access.
      How can I get this fixed ?