Need web.xml JNDIRealm Guru explanation
I have ben playing with the TOMCAT configuration and I would like an
explantion of what I see... 1) I have a group/role in my LDAP, I belong to it, I can authenticate no problem 2) in my web.xml, I define my group/role as a role <security>. 3) if I put my group/role under the '/*' constraints, I can access /web but not /admin -> so far so good 4) if I put my group/role under the '/admin/cmd/*' constraints, I can now access jazz/admin and all sub pages -> Q1: why is the URL protected /admin/cmd/* and yet I can access /admin/* ? why ? :) -> Q2: Should the authorization (isUserInRole()) prevent me from accessing this URL, even looking at the data of this URL? The reason I ask is that, as you may have noticed, I did not specify a security-role-ref/security-link.. so basically, my role/group is not mapped to JazzAdmin... Where am I wrong ? :) Is teh behavior as designed (and I missed the designed) or are we allowing too much (a role under admin/cmd can see all admin data, but yet , when this person tries to do something, no action can be done) PS: this is possibly linked to the flow of 'I am unable to save some properties and I get no error in the log' :) -- Christophe Elek Serviceability Architect IBM Software Group - Rational |
One answer
Q1. why is the URL protected /admin/cmd/* and yet I can
access /admin/* ? why ? :) A1. The /admin URL is the pointer to the UI code that loads the Admin UI. The /admin/cmd/* URL space contains the server-side support to execute Admin functions. We leave the /admin space unsecured because there is no sensitive data that flows from that URL. The /admin/cmd URLs are secure because accessing those URLs allows real data to be read or modified. Q2. (Shortened) What is the relationship between isUserInRole() and the web.xml settings. A2. The rules for web.xml under Tomcat are a little confusing. As you saw in your exploration, you can add your own role to URL constraints to enable access to a URL pattern. When you do that, the web server will ensure that the current users has access to the URL before the server code is ever executed. The security-role-ref elements are used to define the behavior of isUserInRole(). isUserInRole() is used by the server side code (after the application server has allowed the current users to access the URL). The server side code might allow all roles to a specific API, but only allow some features as JazzAdmins. If you want your new role to be treated as JazzAdmins in the isUserInRole() check, then you need to add your role in a security-role-ref element. It is definitely linked to the 'I am unable to save some properties and I get no error in the log'. In that case, the URL that controls saving config properties is under the URL /service/*, and that URL requires any role, but the code that executes requires that isUserInRole('JazzAdmins') to be true before the save can really continue. Under Tomcat, you need to make sure to add your LDAP roles to both the URL pattern sections and the security-role-ref elements. - Matt Lavin Jazz Server Team On Thu, 2009-04-02 at 23:12 +0000, Christophe Elek wrote: I have ben playing with the TOMCAT configuration and I would like an |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.