5 Replies Latest reply on Apr 18, 2005 7:47 PM by Jeff Schnitzer

    isUserInRole and non secured pages

    Tibor Pasztorka Newbie

      Hi all,

      I use the 3.2.3 release.
      In my web application there are some secured and non secured pages.
      I experienced that the request.isUserInRole() function doesn't work if there is a forwarding from a secured jsp page to a public one.

      I made a little example based on the jaas howto tutorial:

      WEB.XML:

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE web-app PUBLIC
       "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
       "http://java.sun.com/dtd/web-app_2_3.dtd">
      
      <web-app>
      
      <!-- ### Security -->
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Restricted</web-resource-name>
       <url-pattern>/secured.jsp</url-pattern>
       <url-pattern>/securedTest.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>Echo</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>JAAS Tutorial Servlets</realm-name>
       </login-config>
      
       <security-role>
       <description>A user allowed to invoke echo methods</description>
       <role-name>Echo</role-name>
       </security-role>
       <security-role>
       <description>A user with no permissions</description>
       <role-name>nobody</role-name>
       </security-role>
      
      </web-app>


      secured.jsp:

      <%if (request.isUserInRole( "Echo")) {%>
       <h1>member of a role</h1>
      <%} else {%>
       <h1>NOT member of a role</h1>
      <%}%>
      
      <a href="/SecurityWeb/securedTest.jsp">Link to a secured page</a><br/>
      <a href="/SecurityWeb/test.jsp">Link to a public page</a>


      securedTest.jsp:

      <html>
      <body>
      <%if (request.isUserInRole( "Echo")) {%>
       <h1>member of a role</h1>
      <%} else {%>
       <h1>NOT member of a role</h1>
      <%}%>
      </body>
      </html>


      test.jsp:

      <html>
      <body>
      <%if (request.isUserInRole( "Echo")) {%>
       <h1>member of a role</h1>
      <%} else {%>
       <h1>NOT member of a role</h1>
      <%}%>
      </body>
      </html>


      The securedTest.jsp and test.jsp are the same, the only defference is that the
      securedTest.jsp is listed under the security-constraint.
      Having tried the http://.............../secure.jsp and logging in succesfully
      I can see the "member of a role" text and clicking to the "Link to a secured page"
      link the text remains the same.

      BUT clicking to the "Link to a public page" link the "NOT member of a role" text
      appears in the browser.

      How could I preserve the roles during my navigation between secured and non secured pages?
      Is there a standard method or is this a bug?

      Thanks for your reply in advance.


      Tibor