0 Replies Latest reply on May 2, 2007 12:15 PM by Anette Engel

    Sharing the portal security domain with a servlet

    Anette Engel Newbie

      I quite like to share the security domain of the portal with a servlet which is in the same application context as my portlets. (The task of the servlet is to generate some images on-the-fly, but it needs to know the security context as only authenticated and authorized users are allowed to view the generated images).

      Looking at the description in http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss I tried the following steps:

      1. I moved the portal security domain from the login configuration for the portal (JBOSS_HOME/default/deploy/jboss-portal.sar/conf/data/login-config.xml) to the JBoss AS login configuration JBOSS_HOME/default/conf/login-config.xml).

      <application-policy name="portal">
       <authentication>
       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module>
      
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      
       <!-- my ldap configuration -->
      
       </login-module>
       </authentication>
      </application-policy>


      2. Configured the web.xml in my application context to secure my servlet

      <?xml version="1.0"?>
      <!DOCTYPE web-app PUBLIC
       "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
       "http://java.sun.com/dtd/web-app_2_3.dtd">
      <web-app>
      
       <servlet>
       <servlet-name>test</servlet-name>
       <display-name>test</display-name>
       <servlet-class>TestServlet</servlet-class>
       </servlet>
      
       <servlet-mapping>
       <servlet-name>test</servlet-name>
       <url-pattern>/test</url-pattern>
       </servlet-mapping>
      
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>test</web-resource-name>
       <url-pattern>/test</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>myrole</role-name>
       </auth-constraint>
       </security-constraint>
      
       <security-role>
       <role-name>myrole</role-name>
       </security-role>
       <security-role>
      </web-app>


      3. Configured the jboss-web.xml in my application context to point the portal security domain

      <jboss-web>
       <security-domain>java:jaas/portal</security-domain>
      </jboss-web>


      The view.jsp of my portlet references the servlet

      <%@ taglib uri="http://java.sun.com/portlet" prefix="portlet"%>
      <%@ page isELIgnored="false"%>
      
      <portlet:defineObjects />
      <p>Test Portlet Servlet Interaction</p>
      <iframe src=?my-web-app/test? />


      The servlet currently prints out the remote user name (request. getRemoteUser()) and test if the user is in role ?myrole? (request.isUserInRole(?myrole?))

      With the security constraint in place I get an HTTP Status 403 - Access to the requested resource has been denied in my iframe. If I remove the security constraint that the ouput in my iframe tells me that the remote user is null and returns false for reques.isUserInRole(?myrole?).

      Is it possible that a serlvet shares the same security domain as my portlets? If yes, what am I doing wrong?

      Thanks,

      Anette