Q1. why is the URL protected /admin/cmd/* and yet I can
access /admin/* ? why ? :)

A1. The /admin URL is the pointer to the UI code that loads the Admin
UI. The /admin/cmd/* URL space contains the server-side support to
execute Admin functions. We leave the /admin space unsecured because
there is no sensitive data that flows from that URL. The /admin/cmd
URLs are secure because accessing those URLs allows real data to be read
or modified.

Q2. (Shortened) What is the relationship between isUserInRole() and the
web.xml settings.

A2. The rules for web.xml under Tomcat are a little confusing. As you
saw in your exploration, you can add your own role to URL constraints to
enable access to a URL pattern. When you do that, the web server will
ensure that the current users has access to the URL before the server
code is ever executed.

The security-role-ref elements are used to define the behavior of
isUserInRole(). isUserInRole() is used by the server side code (after
the application server has allowed the current users to access the URL).
The server side code might allow all roles to a specific API, but only
allow some features as JazzAdmins.

If you want your new role to be treated as JazzAdmins in the
isUserInRole() check, then you need to add your role in a
security-role-ref element.

It is definitely linked to the 'I am unable to save some properties and
I get no error in the log'. In that case, the URL that controls saving
config properties is under the URL /service/*, and that URL requires any
role, but the code that executes requires that
isUserInRole('JazzAdmins') to be true before the save can really
continue.

Under Tomcat, you need to make sure to add your LDAP roles to both the
URL pattern sections and the security-role-ref elements.


-
Matt Lavin
Jazz Server Team


On Thu, 2009-04-02 at 23:12 +0000, Christophe Elek wrote:

I have ben playing with the TOMCAT configuration and I would like an
explantion of what I see...


1) I have a group/role in my LDAP, I belong to it, I can authenticate no
problem
2) in my web.xml, I define my group/role as a role <security>.
3) if I put my group/role under the '/*' constraints, I can access /web but
not /admin -> so far so good
4) if I put my group/role under the '/admin/cmd/*' constraints, I can now
access jazz/admin and all sub pages

-> Q1: why is the URL protected /admin/cmd/* and yet I can access /admin/*
? why ? :)

-> Q2: Should the authorization (isUserInRole()) prevent me from accessing
this URL, even looking at the data of this URL?
The reason I ask is that, as you may have noticed, I did not specify a
security-role-ref/security-link.. so basically, my role/group is not mapped
to JazzAdmin...

Where am I wrong ? :)
Is teh behavior as designed (and I missed the designed) or are we allowing
too much (a role under admin/cmd can see all admin data, but yet , when
this person tries to do something, no action can be done)

PS: this is possibly linked to the flow of 'I am unable to save some
properties and I get no error in the log' :)