I quite like to share the security domain of the portal with a servlet which is in the
same application context as my portlets. (The task of the servlet is to generate some
images on-the-fly, but it needs to know the security context as only authenticated and
authorized users are allowed to view the generated images).
Looking at the description in
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss I tried the
following steps:
1. I moved the portal security domain from the login configuration for the portal
(JBOSS_HOME/default/deploy/jboss-portal.sar/conf/data/login-config.xml) to the JBoss AS
login configuration JBOSS_HOME/default/conf/login-config.xml).
<application-policy name="portal">
| <authentication>
| <login-module
code="org.jboss.portal.identity.auth.IdentityLoginModule"
flag="sufficient">
| <module-option
name="unauthenticatedIdentity">guest</module-option>
| <module-option
name="userModuleJNDIName">java:/portal/UserModule</module-option>
| <module-option
name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
| <module-option
name="additionalRole">Authenticated</module-option>
| <module-option
name="password-stacking">useFirstPass</module-option>
| </login-module>
|
| <login-module
code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"
>
|
| <!-- my ldap configuration -->
|
| </login-module>
| </authentication>
| </application-policy>
2. Configured the web.xml in my application context to secure my servlet
<?xml version="1.0"?>
| <!DOCTYPE web-app PUBLIC
| "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
| "http://java.sun.com/dtd/web-app_2_3.dtd">
| <web-app>
|
| <servlet>
| <servlet-name>test</servlet-name>
| <display-name>test</display-name>
| <servlet-class>TestServlet</servlet-class>
| </servlet>
|
| <servlet-mapping>
| <servlet-name>test</servlet-name>
| <url-pattern>/test</url-pattern>
| </servlet-mapping>
|
|
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>test</web-resource-name>
| <url-pattern>/test</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>myrole</role-name>
| </auth-constraint>
| </security-constraint>
|
| <security-role>
| <role-name>myrole</role-name>
| </security-role>
| <security-role>
| </web-app>
3. Configured the jboss-web.xml in my application context to point the portal security
domain
<jboss-web>
| <security-domain>java:jaas/portal</security-domain>
| </jboss-web>
The view.jsp of my portlet references the servlet
<%@ taglib
uri="http://java.sun.com/portlet" prefix="portlet"%>
| <%@ page isELIgnored="false"%>
|
| <portlet:defineObjects />
| <p>Test Portlet Servlet Interaction</p>
| <iframe src=?my-web-app/test? />
The servlet currently prints out the remote user name (request. getRemoteUser()) and test
if the user is in role ?myrole? (request.isUserInRole(?myrole?))
With the security constraint in place I get an HTTP Status 403 - Access to the requested
resource has been denied in my iframe. If I remove the security constraint that the ouput
in my iframe tells me that the remote user is null and returns false for
reques.isUserInRole(?myrole?).
Is it possible that a serlvet shares the same security domain as my portlets? If yes, what
am I doing wrong?
Thanks,
Anette
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4042510#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...