Jetspeed 2
  1. Jetspeed 2
  2. JS2-526

JBoss web.xml entry for security-constraint login/redirector wont work under Tomcat

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.1-dev
    • Fix Version/s: 2.1-dev, 2.1
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Windows XP SP2, Tomcat 5.5.16, JBoss 4.0.4-CR2, Jetspeed-2.1-dev (sources)

      Description

      I've built my own portal from the 2.1-dev sources.
      The installed portal works on Tomcat 5.5.16, but not on JBoss 4.0.4.
      Under JBoss I am receiving a HTTP-error 403 after the log-in submit.
      (seems like the same problem in Issue JS2-496: http://issues.apache.org/jira/browse/JS2-496)

      If I'm manually adding the following role-name in portal's web.xml, it works fine, on both tomcat and jboss servers:
      <role-name>*</role-name>

      here the new full constraint entry:
      ...
      <!-- Protect LogInRedirectory.jsp. This will require a login when called -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login/redirector</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <!-- the required portal user role name defined in: -->
      <!-- /WEB-INF/assembly/security-atn.xml -->

      <role-name>portal-user</role-name>
      <role-name>*</role-name>

      </auth-constraint>
      </security-constraint>
      ...

      Is this quite correct or do I have a security problem now?
      Or is there a bug in JBoss?

      1. security.patch.txt
        2 kB
        Sylvain RIBEYRON

        Activity

        Ate Douma made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Ate Douma made changes -
        Fix Version/s 2.1 [ 12310617 ]
        Hide
        Ate Douma added a comment -

        Closed again now properly recorded against Fix Version 2.1 as well

        Show
        Ate Douma added a comment - Closed again now properly recorded against Fix Version 2.1 as well
        David Sean Taylor made changes -
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 2.1-dev [ 12310686 ]
        Hide
        David Sean Taylor added a comment -

        patch applied.

        Show
        David Sean Taylor added a comment - patch applied.
        David Sean Taylor made changes -
        Assignee David Sean Taylor [ taylor ]
        Sylvain RIBEYRON made changes -
        Field Original Value New Value
        Attachment security.patch.txt [ 12342669 ]
        Hide
        Sylvain RIBEYRON added a comment -

        Here is the patch that resolves the problem. It works for me.

        Patch changes two files:

        • DefaultLoginModule.java -> set portalUserRole scope as protected instead of private, so that inherited classes can access to this attribute,
        • JBossLoginModule -> Add portalUserRole in list of roles for JBoss.

        I hope this will help.

        Show
        Sylvain RIBEYRON added a comment - Here is the patch that resolves the problem. It works for me. Patch changes two files: DefaultLoginModule.java -> set portalUserRole scope as protected instead of private, so that inherited classes can access to this attribute, JBossLoginModule -> Add portalUserRole in list of roles for JBoss. I hope this will help.
        Hide
        Sylvain RIBEYRON added a comment -

        Hi all.

        I have the same issue.

        I think the problem is in JBossLoginModule (the Jaas plugin for jboss). If you look at its source, you will see it has not changed since version 2.0, whereas DefaultLoginModule has changed.

        In fact, in 2.1, it's up to LoginModule to add portal-user role membership in user's principals. It is done in DefaultLoginModule, but not in JBossLoginModule.

        Try to replace JBossLoginModule commitPrincipals method by the following:

        protected void commitPrincipals(Subject subject, User user)

        { // add UserPrincipal to subject subject.getPrincipals().add(getUserPrincipal(user)); JBossGroup roles = new JBossGroup("Roles", getUserRoles(user)); roles.addMember(new RolePrincipalImpl(portalUserRole)); subject.getPrincipals().add(roles); }

        This adds portal-user role membership to all authenticated users, and this should resolve our problem.

        Show
        Sylvain RIBEYRON added a comment - Hi all. I have the same issue. I think the problem is in JBossLoginModule (the Jaas plugin for jboss). If you look at its source, you will see it has not changed since version 2.0, whereas DefaultLoginModule has changed. In fact, in 2.1, it's up to LoginModule to add portal-user role membership in user's principals. It is done in DefaultLoginModule, but not in JBossLoginModule. Try to replace JBossLoginModule commitPrincipals method by the following: protected void commitPrincipals(Subject subject, User user) { // add UserPrincipal to subject subject.getPrincipals().add(getUserPrincipal(user)); JBossGroup roles = new JBossGroup("Roles", getUserRoles(user)); roles.addMember(new RolePrincipalImpl(portalUserRole)); subject.getPrincipals().add(roles); } This adds portal-user role membership to all authenticated users, and this should resolve our problem.
        Bruno Marti created issue -

          People

          • Assignee:
            David Sean Taylor
            Reporter:
            Bruno Marti
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development