Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Enterprise & Remote Computing >> Enterprise Technologies

RBAC check fails Security Constraint Not Enforced

I configured a simple WAR to ony allow a specific role to be able to execute my Helloworld url. Now it appears that any valid user defined on the appserver can access the url. Shouldn't it be limited to the specific role i defined using the deploytool? It almost appears as if the security constraint is not being enforced. All of the users in thefile realm are allowed to access it, instead of the role that's specified in the security constraints.

I'm using Sun Java System Application Server Enterprise Edition 8.2 (build b25-fcs)

web.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<display-name>Helloworld</display-name>

<servlet>

<display-name>HelloworldImpl</display-name>

<servlet-name>HelloworldImpl</servlet-name>

<servlet-class>com.boeing.mcc.trade.HelloworldImpl</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>HelloworldImpl</servlet-name>

<url-pattern>/Helloworld</url-pattern>

</servlet-mapping>

<jsp-config/>

<security-constraint>

<display-name>SecurityConstraint</display-name>

<web-resource-collection>

<web-resource-name>WRCollection</web-resource-name>

<url-pattern>/Helloworld/*</url-pattern>

<http-method>POST</http-method>

<http-method>GET</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>OPERATOR</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>NONE</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>file</realm-name>

</login-config>

<security-role>

<role-name>ADMIN</role-name>

</security-role>

<security-role>

<role-name>ANALYST</role-name>

</security-role>

<security-role>

<role-name>OPERATOR</role-name>

</security-role>

</web-app>

Message was edited by:

weinhard

Message was edited by:

weinhard

Message was edited by:

weinhard

[2727 byte] By [weinharda] at [2007-11-27 8:34:36]
«« how to send a bigdecimal by DataOutputStream
»» How do I list all possible combinations?
# 1

Can you please let me know how you have "mapped" those roles onto actual users (principals) or groups that you defined? In other words, do you have an accompanying

sun-web.xml?

It might be the case that this configuration actually interferes with the "file" name

for the default realm. (e.g. just search for "file" in your domain.xml).

The correct way is to define a realm using "asadmin create-auth-realm" command and

then using that realm (e.g. named as "myrealm") to add the users to it.

Let me know if you need to know more ...

Regards,

Kedar Mhaswade

kedar.mhaswadea at 2007-7-12 20:30:54 > top of Java-index,Enterprise & Remote Computing,Enterprise Technologies...
# 2

Note: I used the deploytool to create/package the WAR.

sun-web.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">

<sun-web-app>

<context-root>/hello</context-root>

<security-role-mapping>

<role-name>OPERATOR</role-name>

<principal-name>user1</principal-name>

<principal-name>user2</principal-name>

<principal-name>user3</principal-name>

</security-role-mapping>

<security-role-mapping>

<role-name>ANALYST</role-name>

<principal-name>user4</principal-name>

<principal-name>user2</principal-name>

<principal-name>user3</principal-name>

<principal-name>user5</principal-name>

</security-role-mapping>

<security-role-mapping>

<role-name>ADMIN</role-name>

<principal-name>user6</principal-name>

</security-role-mapping>

<servlet>

<servlet-name>HelloworldImpl</servlet-name>

<webservice-endpoint>

<port-component-name>HelloworldIF</port-component-name>

<endpoint-address-uri>Helloworld</endpoint-address-uri>

</webservice-endpoint>

</servlet>

<session-config>

<session-manager persistence-type="memory">

<manager-properties/>

<store-properties/>

</session-manager>

<session-properties/>

<cookie-properties/>

</session-config>

<cache enabled="true" max-entries="4096" timeout-in-seconds="30">

<default-helper/>

</cache>

<class-loader delegate="true"/>

<jsp-config/>

<parameter-encoding default-charset="UTF8"/>

</sun-web-app>

weinharda at 2007-7-12 20:30:54 > top of Java-index,Enterprise & Remote Computing,Enterprise Technologies...
# 3

For completeness...

webservices.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<webservices xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.1" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://www.ibm.com/webservices/xsd/j2ee_web_services_1_1.xsd">

<webservice-description>

<display-name>HelloworldIF</display-name>

<webservice-description-name>HelloworldIF</webservice-description-name>

<wsdl-file>WEB-INF/wsdl/HelloworldIF.wsdl</wsdl-file>

<jaxrpc-mapping-file>HelloworldIFMapping.xml</jaxrpc-mapping-file>

<port-component>

<display-name>HelloworldIF</display-name>

<port-component-name>HelloworldIF</port-component-name>

<wsdl-port xmlns:wsdl-port_ns__="urn:HelloworldIF">wsdl-port_ns__:HelloworldIFPort</wsdl-port>

<service-endpoint-interface>com.boeing.mcc.trade.HelloworldIF</service-endpoint-interface>

<service-impl-bean>

<servlet-link>HelloworldImpl</servlet-link>

</service-impl-bean>

</port-component>

</webservice-description>

</webservices>

weinharda at 2007-7-12 20:30:54 > top of Java-index,Enterprise & Remote Computing,Enterprise Technologies...
Enterprise & Remote Computing
Enterprise Technologies

Enterprise & Remote Computing Hot Topic

Enterprise & Remote Computing

All Classified