[jboss-jira] [JBoss JIRA] Commented: (JBAS-1824) JACC: <role-name>*</role-name> in web.xml

Roland R?z (JIRA) jira-events at jboss.com
Fri Nov 3 07:57:42 EST 2006 

    [ http://jira.jboss.com/jira/browse/JBAS-1824?page=comments#action_12346229 ] 
            
Roland R?z commented on JBAS-1824:
----------------------------------

Sadly, the new feature described in http://jira.jboss.com/jira/browse/JBAS-2926 is just about tomcat and not jacc. 

Providing such a feature prevents from ugly workarounds. For example writing a simple public web service (with an EJB3 stateless session bean) requires the developer to add for example the @RolesAllowed("friend") at the class level, else in the generated web deployment is not able to produce the jacc permissions. 

The proposed change at the JACC layer by using a WebResourcePermission("xyz", null) looks like a good solution. Until that is implemented JBoss could provide a feature similar as the following:

org.jboss.web.WebPermissionMapping#createPermissions():
...
     // Get the qualified url pattern
                  PatternInfo info = (PatternInfo) patternMap.get(url);
                  Iterator roles = wsmd.getRoles().iterator();
                  HashSet mappedRoles = new HashSet();
                  while( roles.hasNext() )
                  {
                     String role = (String) roles.next();
                     if( role.equals("*") )
                     {
                    	if (Boolean.valueOf(              
                              System.getProperty("jboss.tomcat.jacc.allow-all.role.for.star", "false")).booleanValue()) {
			// add the "ALLOW-ALL" which could be handled
                                // generically in jacc
                    		mappedRoles.add("ALLOW-ALL");
                    	}
                        // The wildcard ref maps to all declared security-role names
                        Iterator allRoles = metaData.getSecurityRoleNames().iterator();
                        while( allRoles.hasNext() )
                        {
                           role = (String) allRoles.next();
                           mappedRoles.add(role);
                        }
                     }
                     else
                     {
                        mappedRoles.add(role);
                     }
                  }
...

This feature would allow to handle the role * generically in the jacc provider. The developer just sets the jboss.tomcat.jacc.allow-all.role.for.star system property to true and uses then the role * as a role which any authenticated user has.


> JACC: <role-name>*</role-name> in web.xml
> -----------------------------------------
>
>                 Key: JBAS-1824
>                 URL: http://jira.jboss.com/jira/browse/JBAS-1824
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: JBossAS-4.0.2 Final
>         Environment: -
>            Reporter: Roland R?z
>         Assigned To: Scott M Stark
>            Priority: Minor
>   Original Estimate: 1 hour
>  Remaining Estimate: 1 hour
>
> In some cases I wish to do authentication without authorisation. For example everybody has access to my web-resource, but I want to know who she/he is.
> Therefore the accessing user must login.
> So my web.xml contains the following snippet:
> ...
>  <security-constraint>
>   <web-resource-collection>
>    <web-resource-name>Protected Helloworld example</web-resource-name>
>    <description/>
>    <url-pattern>/servlet/HelloWorldExample</url-pattern>
>    <http-method>POST</http-method>
>    <http-method>GET</http-method>
>   </web-resource-collection>
>   <auth-constraint>
>    <role-name>*</role-name>
>   </auth-constraint>
>  </security-constraint>
>  <login-config>
>   <auth-method>BASIC</auth-method>
>   <realm-name>public</realm-name>
> </login-config>
> ...
> The web app runs with this configuration in Tomcat 5.5.8 standalone but not in Jboss.
> To run it in Jboss I have to add the following element:
>  <security-role>
>   <role-name>aRole</role-name>
>  </security-role>
> The JACC spec (section 3.1.3.1, paragraph 3)states :
> " ?. When an auth-constraint names the reserved role-name, "*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application."
> JBoss implemented this by combining all of the patterns with all roles defined in the web.xml and assumes that each role has to be defined in the web.xml.
> But the web applications roles are probably defined in other files than the web.xml. In our case we use JACC with an external authentication provider. And each time, the roles changes, I also would have to modify the web.xml.
> It is desirable if the auth-contraint with the role-name "*" acceppts "all" roles and not only those that are defined in the web.xml.
> Or is this a JACC spec issue?
> Regards,
> Andrea

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list