2 Replies Latest reply on Jun 11, 2012 12:29 AM by jaikiran

    Not enforcing roles and security constraints?

      Hi,

       

      I've just started working with JBoss, and have a simple web app that has a security constraint:

       

          <security-constraint>

              <display-name>Constraint1</display-name>

              <web-resource-collection>

                  <web-resource-name>secure</web-resource-name>

                  <description/>

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <description/>

                  <role-name>myrole</role-name>

              </auth-constraint>

          </security-constraint>

          <security-role>

              <description/>

              <role-name>myrole</role-name>

          </security-role>

       

      In the application-users.properties, I have:

       

      0test=3e6290174951b169d3c2fd709f36a70e

       

      In the application-roles.properties, I have:

       

      0test=anotherrole

       

      I can log in as "0test", but when I access the web app, I get access, whereas I think I should get a 403/access denied, since the '0test' user doesn't have the 'myrole' role?

       

      Also, I have a JSP that does some isInRole() calls, and it's showing 'false' for both roles 'myrole' and 'anotherrole'.

       

      Is there something else that I need to do to get JBoss to recognize the user's roles and also to enforce the security constraint?

       

      Thanks,

      Jim

        • 1. Re: Not enforcing roles and security constraints?

          Hi,

           

          I've made some progress.  I can now get my test JSP to display roles using isInRole(), corresponding to what I have set in application-roles.properties.

           

          HOWEVER, it looks like JBoss is still not enforcing the security constraint that is in the web.xml, i.e, regardless of whether or not an authenticated user has the correct role, I am still able to access the protected resource.

           

          Is there something else that needs to be enabled in JBoss, i.e., is security enforcement disabled by default?

           

          Thanks,

          Jim

          • 2. Re: Not enforcing roles and security constraints?
            jaikiran

            You'll have to add a security-domain element in jboss-web.xml of your application and point the security-domain that you want to use. The security-domain configurations can be done in the security subsystem of the standalone/domain.xml file.

             

            P.S: I know, this might not be enough information to get you started. But right now I don't have access to the docs or tutorials which might help you with this and I'm in a hurry. So if you still have questions, feel free to ask, someone else might help.