2 Replies Latest reply on Mar 15, 2005 12:51 PM by starksm64

    Is there a JBoss equivalent in jboss-web.xml of Weblogic's <

    clu77
    clu77 Mar 4, 2005 12:24 AM

      I'm working on a system where we provide an application-scoped group/role system that sits on top of JAAS groups/roles, and I need a way of mapping those application-scoped roles onto roles that JAAS knows about. For instance, I have a role that JAAS knows about called "everyone", and a role that the application knows about called "users" whose membership consists of all the users in the role "everyone". In Weblogic, I declare this mapping by adding a <security-role-assignment> entry in weblogic.xml:

      <security-role-assignment>
 <role-name>users</role-name>
 <principal-name>everyone</principal>
</security-role-assignment>


      In my web.xml, I have a reference to the "users" role, for instance in an authorization constraint: 
      <security-constraint>
 <web-resource-collection>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>users</role-name>
 </auth-constraint>
</security-constraint>


      From looking at the DTD (jboss-web_4_0.dtd), it looks like I should be able to do something similar to the <security-role-assignment> in jboss-web.xml: 

      <security-role>
 <role-name>users</role-name>
 <principal-name>everyone</principal>
</security-role>


      However, this appears to be ignored by the system, and when I try to access the web resource I get a SecurityException saying my user who belongs to the "everyone" JAAS role doesn't have sufficient permissions.

      Any help is greatly appreciated.

      • 4221 Views
      • Tags:
        • 1. Re: Is there a JBoss equivalent in jboss-web.xml of Weblogic
          richardberger
          richardberger Mar 15, 2005 12:38 PM (in response to clu77)

          I have been looking at this same question. You may have already found:
          http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827512#3827512 - but I added a comment posing a question about capability that appears to be added in WebLogic.

          Did you resolve the problem you were having? I would be very interested in hearing what you did. I am coming to the conclusion that the capabilities offered by the two app servers are different, with the edge apparently going to WL here, but I will be the first to admit that I can get easily confused in this complexity.

          Thanks!
          RB

            • Actions
          • 2. Re: Is there a JBoss equivalent in jboss-web.xml of Weblogic
            starksm64
            starksm64 Mar 15, 2005 12:51 PM (in response to clu77)

            The 4.0.2RC1 release has added support for assocating a principal with additional roles, but its up to the login module to perform the mapping from the security domain to the application domain. The static mapping supported at the jboss-web.xml level is only for run-as identity.

            <jboss-web>

 <security-role>
 <role-name>ExtraRole1</role-name>
 <principal-name>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</principal-name>
 </security-role>
 <security-role>
 <role-name>ExtraRole2</role-name>
 <principal-name>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</principal-name>
 </security-role>

 <servlet>

...
 <servlet-name>UnsecureRunAsServletWithPrincipalName</servlet-name>
 <run-as-principal>UnsecureRunAsServletWithPrincipalNamePrincipal</run-as-principal>
 </servlet>
 <servlet>
 <servlet-name>UnsecureRunAsServletWithPrincipalNameAndRoles</servlet-name>
 <run-as-principal>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</run-as-principal>
 </servlet>

</jboss-web>



              • Actions