[jboss-dev-forums] [QA of JBoss Portal] - Problem with Tomcat SSO valve while being in 'Admin' role bu

mposolda@redhat.com do-not-reply at jboss.com
Tue Apr 28 07:09:43 EDT 2009 

I have a question about Tomcat SSO Valve. I have a JBoss-4.2.3.GA with JBoss Portal 2.7.2 from branch and I did this scenario:

1) I changed the security settings of default portal, so only admin can see it. ('View recursive' and 'Personalize recursive' permission to Administrators). So the access to http://localhost:8080/portal needs authentication and needs to be authorized as admin.

2) I enabled the Tomcat SSO valve in $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml in same way, which is described in reference guide.

3) I enabled the authentication for jmx-console in same way, which is described in reference guide:

$JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>HtmlAdaptor</web-resource-name>
      An example security config that only allows users with the
        role JBossAdmin to access the HTML JMX console web application
      
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Admin</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>JBoss JMX Console</realm-name>
  </login-config>

  <security-role>
     <role-name>Admin</role-name>
  </security-role>


$JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml:

   <jboss-web>           
         <security-domain>java:/jaas/jmx-console</security-domain>
   </jboss-web>


$JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties:

   admin=Admin,HttpInvoker

4) I went to http://localhost:8080/jmx-console and authenticate to jmx-console as admin.

5) Then I went to http://localhost:8080/portal and I see the normal default page of default portal with information about Admin is logged in (Sign 'logged in as: admin' in the right up corner and link to Admin portal)

6) After click to any link on portal, I felt into 403 forbidden error. This is caused, because any click redirects me to URL like: http://localhost:8080/portal/auth/dashboard and I need to be in 'Authenticated' role to access this URL. But I am only in 'Admin' role but not in 'Authenticated' role (Authentication is done by jmx-console and 'Authenticated' role is not specified in jmx-console-roles.properties).

My question is, if this behaviour is correct. I think not. If I am not authorized to see the default portal, while is possible then I can see http://localhost:8080/portal after logging to jmx-console? If I am authorized to see the portal, while I have the '403' error while clicking to any link from default portal page? This looks like conflict from my point of view.

mposolda at redhat.com


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4227254#4227254

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4227254

More information about the jboss-dev-forums mailing list