4 Replies Latest reply on Apr 29, 2009 11:25 PM by mposolda

    Problem with Tomcat SSO valve while being in 'Admin' role bu

    soshah
    soshah Apr 28, 2009 11:10 AM

      Marek-

      try this. Inside jboss-portal.sar/portal-server.war/WEB-INF/web.xml, replace all occurrences of "Authenticated" configuration with "Admin"

      Portal expects the "Authenticated" role to be populated inside the security context, but since the jmx-console is doing the authentication, its populating the security context with what it knows which is "Admin".

      Let me know if this works.

      Thanks
      Sohil

      • 12639 Views
      • Tags:
        • 1. Re: Problem with Tomcat SSO valve while being in 'Admin' rol
          soshah
          soshah Apr 28, 2009 11:19 AM (in response to soshah)

          Actually before modifying the portal's server configuration, which should work, try if modifying the jmx-console-roles.properties file and see if that works. If it does, that would be a cleaner approach.

          To do that, open your jmx-console-roles.properties file and add "Authenticated" to the list of roles to be associated with the admin user.

          So now, the file should look like this:

          # A sample roles.properties file for use with the UsersRolesLoginModule
admin=JBossAdmin,HttpInvoker,Authenticated


          Thanks
          Sohil

            • Actions
          • 2. Re: Problem with Tomcat SSO valve while being in 'Admin' rol
            mposolda
            mposolda Apr 29, 2009 12:29 AM (in response to soshah)

            Yes. That's right. If you add "Authenticated" to admin user from jmx-console and logging in jmx-console as admin, than you can go everywhere in JBoss Portal because you are in both roles "Admin" and "Authenticated". That's correct.

            My interest is in situation, when you are only in "Admin" (or maybe "User") role but not in role "Authenticated". That's the problem from my point of view.

            Imagine another situation: The default portal is configured normally so everywhere can see it. If unauthenticated user (unchecked guest) goes to http://localhost/portal he sees the default portal page and when he clicks to 'News' link, he is redirected to http://localhost:8080/portal/portal/default/News and he can see the News page of default portal. But when admin user from jmx-console, (is logged in jmx-console and is only in "Admin" role but not "Authenticated") goes to http://localhost:8080/portal, he can see the default portal page, but when he click on News link, he is redirected to URL: http://localhost:8080/portal/auth/portal/default/News and he has '403 forbidden' page. So this user has defacto less privileges then completely unauthenticated guest user. This behaviour is a little out of logic from my point of view...

            Maybe I am a little paranoid and this is not as important ;-) But from my point of view, the behaviour in situation when you are in role "Admin" (or "User") and not in "Authenticated" is not logical.

            Solution may be to inform our customers that for correct usage of Tomcat SSO Valve, they must have users in their web applications in both roles "Admin" and "Authenticated" (or "User" and "Authenticated" for normal non-admin users).

              • Actions
            • 3. Re: Problem with Tomcat SSO valve while being in 'Admin' rol
              soshah
              soshah Apr 29, 2009 8:22 AM (in response to soshah)

               


              But from my point of view, the behaviour in situation when you are in role "Admin" (or "User") and not in "Authenticated" is not logical.


              Needing an "Authenticated" Threshold only makes the difference between an authenticated user and an anonymous user. After that within authenticated state itself, resources are access controlled based on whether they have "Admin" role, "User" role etc.

              Atleast thats the default security policy of portal we ship out of the box.

              To change this, you can modify the security constraints I mentioned in portal server configuration. I thought you needed a solution that would work with the out of the box portal policy. But, looks like you are looking to modify the default portal security policy, which is fine too. Try the first option I suggested and see if that works.

              You will need to add the "User" and "Admin" role references in the web.xml instead of the Authenticated we have today


              Solution may be to inform our customers that for correct usage of Tomcat SSO Valve, they must have users in their web applications in both roles "Admin" and "Authenticated" (or "User" and "Authenticated" for normal non-admin users).


              Yes that is correct for the default security policy that we ship with

              Thanks


                • Actions
              • 4. Re: Problem with Tomcat SSO valve while being in 'Admin' rol
                mposolda
                mposolda Apr 29, 2009 11:25 PM (in response to soshah)

                Thank you Sohil,

                So if default portal policy is used, then thirdparty web applications need both roles "Admin" and "Authenticated". And if thirdparty web apps doesn't have the Authenticated role, then portal needs to be reconfigured for correct usage (roles "Admin" and "User" added to security constraints in jboss-portal.sar/portal-server.war/WEB-INF/web.xml)

                I was little confused because scenario mentioned in reference guide (chapter 21.2.2 ) describes the situation when only "Admin" role is used for "admin" user in jmx-console but not "Authenticated" role. So I was interested if it is bad behaviour or only the inaccuracy in portal documentation. Shouldn't be this mentioned in the doc?

                Thanks,
                Marek

                  • Actions