0 Replies Latest reply on May 2, 2007 12:15 PM by Anette Engel

    Sharing the portal security domain with a servlet

    Anette Engel Newbie

      I quite like to share the security domain of the portal with a servlet which is in the same application context as my portlets. (The task of the servlet is to generate some images on-the-fly, but it needs to know the security context as only authenticated and authorized users are allowed to view the generated images).

      Looking at the description in http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss I tried the following steps:

      1. I moved the portal security domain from the login configuration for the portal (JBOSS_HOME/default/deploy/jboss-portal.sar/conf/data/login-config.xml) to the JBoss AS login configuration JBOSS_HOME/default/conf/login-config.xml).

      <application-policy name="portal">
       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
       <!-- my ldap configuration -->

      2. Configured the web.xml in my application context to secure my servlet

      <?xml version="1.0"?>
      <!DOCTYPE web-app PUBLIC
       "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"

      3. Configured the jboss-web.xml in my application context to point the portal security domain


      The view.jsp of my portlet references the servlet

      <%@ taglib uri="http://java.sun.com/portlet" prefix="portlet"%>
      <%@ page isELIgnored="false"%>
      <portlet:defineObjects />
      <p>Test Portlet Servlet Interaction</p>
      <iframe src=?my-web-app/test? />

      The servlet currently prints out the remote user name (request. getRemoteUser()) and test if the user is in role ?myrole? (request.isUserInRole(?myrole?))

      With the security constraint in place I get an HTTP Status 403 - Access to the requested resource has been denied in my iframe. If I remove the security constraint that the ouput in my iframe tells me that the remote user is null and returns false for reques.isUserInRole(?myrole?).

      Is it possible that a serlvet shares the same security domain as my portlets? If yes, what am I doing wrong?