|
Replies:
8
-
Last Post:
Nov 21, 2007 6:29 PM
by: priyasubu
|
|
|
|
|
|
|
Default principal to role mapping problem...
Posted:
Nov 4, 2007 9:45 AM
|
|
|
Hi,
I am using a custom JDBC realm because the one provided with glassfish is not flexible enough (it assumes natural keys for instance). It is an almost exact copy of the JDBCRealm from glassfish but is configured with JDBC queries instead of with table and column names. The idea is similar to the jdbc realm in JBoss and allows basically any database schema to be used.
The realm is configured appropriately. The realm is tied to a login module through the login.conf and the realm itself is configured with queries and a datasource (a MySQL database). In my web app I am using basic declarative security and am allowing any role (so basically any authenticated user) to access anything. In the debug output I see that the user is successfully authenticated and that the groups for the user are successfully determined. Also I am calling commitUserAuthentication() to tell glassfish what the group names are. In Glassfish I have set up a default principal to role mapping so I am expecting every group to correspond to a role of the same name.
Nevertheless, after logging in I can use standard servlet API calls (getUserPrincipal() and isUserInRole()) to examine the logged in user. What I am seeing now is that the user is known but that no roles have been set. So apparently the default role mapping is not working. I could debug this problem better if I would know the Subject but how do I obtain this in my application? I am now using the standard JAAS method for accessing the subject
Subject.getSubject(AccessController.getContext());
but this gives null.
Any ideas on what could be wrong?
Cheers
Erik
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 5, 2007 2:03 AM
in response to: erikengerd
|
|
|
Hi,
Let me see if i can reproduce the problem locally.
Meantime if you wish to debug in GF then try and put some breakpoints in :
com.sun.enterprise.security.acl.RoleMapper
I will check with our QE on whether we have testcase covering Custom Realm with default-P2R.
Thanks.
|
|
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 5, 2007 9:57 AM
in response to: erikengerd
|
|
|
|
|
Hi,
In case you are interested, I have attached the source files to this message.
It is basically an adapted version of the JDBCRealm in glassfish with two changes:
* group caching; The current version does not cache groups at all. The glassfish version cached indefinitely which made it unusable for scenarios where the groups of a user change at runtime (realistic scenario)
* query configuration (one for the password, and one for the groups of a user) instead of configuring table and column names (less flexible).
Cheers
Erik
|
|
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 16, 2007 6:08 AM
in response to: erikengerd
|
|
|
Nice work on the flexible jdbc realm. I tried this, and it seems to be working, or I might not have understood the problem. I get the following results from a jsp after authentication.
request.isUserInRole("manager") ===> role assigned by the custom realm (i.e. group)
request.getUserPrincipal() ===> my username
for eg,
if my database has
username | password | group |
-----------------------------------------------
bob | **** |manager |
and if I login as bob, I get to access a page which is constrained to be accessed by the role 'manager'.
Can you please let me know what the problem is?
|
|
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 16, 2007 11:18 AM
in response to: raharsha
|
|
|
Hi,
I am accessing the user principal and checking the roles in a servlet filter as follows:
System.out.println("User is '" + httpRequest.getUserPrincipal() + "'");
for (String group: new String[]{ "group1", "group2", "group3" }) {
System.out.println(" User is in group " + group + ": " + httpRequest.isUserInRole(group));
}
In this case I see that the user is ok but it does not belong to any of the groups (the user actually belongs to all three).
Now, when I modify the security constraint in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>AllowEveryone</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
and change role-name to 'group1' I see that the user is allowed to view pages guarded by the constraint. When I change the role-name to 'unknowngroup' I see the user is not allowed to view these pages. Also, using role-name '*' (the original) also does not allow access to the page which, I think, is incorrect.
In other words, it appears as though security is setup properly but isUserInRole() apparently does not work properly in the servlet filter. Also it looks like there is a problem with the interpretation of the role-name '*' in the web.xml.
Do you have the same problem?
Cheers
Erik
PS. Apart from this I want to access the authenticated JAAS subject because I need that. Is there a way to access that in glassfish?
corrected typos.
Message was edited by: erikengerd
|
|
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 16, 2007 11:59 AM
in response to: erikengerd
|
|
|
Some more info. I managed to access the JAAS Subject using SecurityContext.getCurrent().getSubject() and printing it clearly shows the correct groups:
filter got subject 'Subject:
Principal: user1
Principal: group1
Principal: group2
Principal: group3
Private Credential: Realm=MyRealm Username=user1 Password=######## TargetName = [B@139a367
'|#]
|
|
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 16, 2007 12:13 PM
in response to: erikengerd
|
|
|
I don't think this is something that is limited to the custom JDBC resource. I say that because I am experiencing the same thing using the built in JDBC resource. My configuration works fine on my dev glassfish setup, but it doesn't work in my clustered production glassfish setup. I have the JDBC realm declared identically in both, as well as security-rol-mappings in sub-web.xml like this:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>member</role-name>
<group-name>member</group-name>
</security-role-mapping>
Without the security-role-mappings, I found that roles will not be assigned correctly in glassfish. My problem is that even with the security-role-mappings, roles are not being assigned in my glassfish cluster.
I didn't see any mention in your posts that you had security-role-mappings, so I'd try that. If you already have, then we're experiencing the same problem with slightly different setups.
|
|
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 16, 2007 1:05 PM
in response to: rwillie6
|
|
|
HI,
I am not using explicit role mappings and am relying on the default role to group mapping (which is rolename == groupname).
I am also not running in a cluster. What I am experiencing is weird behavior of request.isUserInRole() in a servlet filter and apparently the wrong treatement of <role-name>*</role-name>
In any case I have found a workaround for now. I simply use the assign-groups property of the realm to add every user to a ALL group and modify the security constraint to <role-name>ALL</role-name>. That at least does the trick and my app is working now.
Perhaps the issues are related underneath but at least something fishy is going on here 
I hope someone can find the cause of the problem.
Cheers
Erik
|
|
|
|
|
|
|
|
|
Re: Default principal to role mapping problem...
Posted:
Nov 21, 2007 6:29 PM
in response to: rwillie6
|
|
|
I seem to be having the exact same problem glassfish is not authenticating users in a cluster......
It works fine in a single machine but not in a cluster
|
|
|
|
|
java.net RSS
