[jboss-user] [Security & JAAS/JBoss] - Runas identity for a jsp/servlet does not work
illipilla
do-not-reply at jboss.com
Tue May 29 00:01:22 EDT 2007
Hi
I have been trouble shooting an issue where in I could not get Runas principal work for a jsp that is marked with run-as tag. Looks like the http://jira.jboss.com/jira/browse/JBAS-1297 has fixed part of my issue. But it still does not work.
Below are my web.xml snippets (adding only required parts)
<servlet-name>SecureJSP</servlet-name>
<jsp-file>/secure/indexsecure.jsp</jsp-file>
<run-as>
<role-name>WebRunAsRole</role-name>
</run-as>
.....................
<security-role>
<role-name>WebRunAsRole</role-name>
</security-role>
Below are my jboss-web.xml snippets
<security-role>
<role-name>WebRunAsRole</role-name>
<principal-name>b2uset</principal-name>
</security-role>
<servlet-name>SecureJSP</servlet-name>
<run-as-principal>b2uset</run-as-principal>
After addding above in my descriptors with debugging on I could see when the application gets deployed it uses the role as well as princpal. Below are my log entries.
2007-05-28 17:50:31,055 TRACE [org.jboss.web.tomcat.security.RunAsListener] SecureJSP, runAs: [roles=[WebRunAsRole],principal=b2uset]
2007-05-28 17:50:31,055 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=[roles=[WebRunAsRole],principal=b2uset]
Although everything looks good so far, I could not get this jsp running under the principal "b2uset" when the jsp is accessed. My request.getUserPrincipal, Request.getRemoteUser, SecurityAssociation.getSubject all seem to be showing either null or any existing context of already authenticated user but not the prinipal of run-as user "b2uset". With EJB things may be working but I have not tried. I am currently trying with jsp.
Any thoughts?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4049173#4049173
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4049173
More information about the jboss-user
mailing list