2 Replies Latest reply on Mar 15, 2005 12:51 PM by Scott Stark

    Is there a JBoss equivalent in jboss-web.xml of Weblogic's <

    Scott Bonneau Newbie

      I'm working on a system where we provide an application-scoped group/role system that sits on top of JAAS groups/roles, and I need a way of mapping those application-scoped roles onto roles that JAAS knows about. For instance, I have a role that JAAS knows about called "everyone", and a role that the application knows about called "users" whose membership consists of all the users in the role "everyone". In Weblogic, I declare this mapping by adding a <security-role-assignment> entry in weblogic.xml:

      <security-role-assignment>
       <role-name>users</role-name>
       <principal-name>everyone</principal>
      </security-role-assignment>
      


      In my web.xml, I have a reference to the "users" role, for instance in an authorization constraint:
      <security-constraint>
       <web-resource-collection>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>users</role-name>
       </auth-constraint>
      </security-constraint>
      


      From looking at the DTD (jboss-web_4_0.dtd), it looks like I should be able to do something similar to the <security-role-assignment> in jboss-web.xml:

      <security-role>
       <role-name>users</role-name>
       <principal-name>everyone</principal>
      </security-role>
      


      However, this appears to be ignored by the system, and when I try to access the web resource I get a SecurityException saying my user who belongs to the "everyone" JAAS role doesn't have sufficient permissions.

      Any help is greatly appreciated.

        • 1. Re: Is there a JBoss equivalent in jboss-web.xml of Weblogic
          Richard Berger Newbie

          I have been looking at this same question. You may have already found:
          http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827512#3827512 - but I added a comment posing a question about capability that appears to be added in WebLogic.

          Did you resolve the problem you were having? I would be very interested in hearing what you did. I am coming to the conclusion that the capabilities offered by the two app servers are different, with the edge apparently going to WL here, but I will be the first to admit that I can get easily confused in this complexity.

          Thanks!
          RB

          • 2. Re: Is there a JBoss equivalent in jboss-web.xml of Weblogic
            Scott Stark Master

            The 4.0.2RC1 release has added support for assocating a principal with additional roles, but its up to the login module to perform the mapping from the security domain to the application domain. The static mapping supported at the jboss-web.xml level is only for run-as identity.

            <jboss-web>
            
             <security-role>
             <role-name>ExtraRole1</role-name>
             <principal-name>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</principal-name>
             </security-role>
             <security-role>
             <role-name>ExtraRole2</role-name>
             <principal-name>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</principal-name>
             </security-role>
            
             <servlet>
            
            ...
             <servlet-name>UnsecureRunAsServletWithPrincipalName</servlet-name>
             <run-as-principal>UnsecureRunAsServletWithPrincipalNamePrincipal</run-as-principal>
             </servlet>
             <servlet>
             <servlet-name>UnsecureRunAsServletWithPrincipalNameAndRoles</servlet-name>
             <run-as-principal>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</run-as-principal>
             </servlet>
            
            </jboss-web>