stackoom
  简体   繁体   中英

how to avoid adding principal in glassfish-web.xml file?

 原文  2012-11-30 20:16:47       security/ java-ee/ web-applications/ glassfish/ jaas

Question

I have a small web application that use jdbcRealm for authentification/authorisation. The authorisation works only if I put the user name in the glassfish-web.xml 

<glassfish-web-app error-url="">
    <class-loader delegate="true"/>
    <jsp-config>
        <property name="keepgenerated" value="true">
            <description>Keep a copy of the generated servlet class' java code.</description>
        </property>
    </jsp-config>
    <security-role-mapping>
        <role-name>connexion</role-name>
        <principal-name>test</principal-name>
        <group-name>connexion</group-name>
    </security-role-mapping>
</glassfish-web-app>

web.xml 

<!--other stuff-->
     <security-constraint>
            <web-resource-collection>
                <web-resource-name>secure</web-resource-name>
                <url-pattern>/Downloader</url-pattern>
                <url-pattern>/start.html</url-pattern>  
            </web-resource-collection>
            <auth-constraint>
                <role-name>connexion</role-name>
            </auth-constraint>
            <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
        </security-constraint>
        <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>my_realm</realm-name>
            <form-login-config>
                <form-login-page>/login.html</form-login-page>
                <form-error-page>/error.html</form-error-page>
            </form-login-config>
        </login-config>

        <security-role>

            <role-name>connexion</role-name>
        </security-role>
<!--other stuff-->

If I remove the principal from the glassfish-web I get a 403 error acces denied . Is there any solution to avoid adding principals in xml file ? Thanks.

1 answers

solution1
 0 ACCPTED  2012-12-01 12:11:11

Yes, there is. In your security realm (from the content of web.xml, that is my_realm ) associate the username you are logging in with the appropriate group - in your case that is connexion . In other words, every user that belongs to the group connexion will have the access to the protected resource and therefore you don't have to enumerate the principals - that's the purpose of groups.

Reference & further reading: Java EE 6 tutorial

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to avoid adding principal in glassfish-web.xml file when using auth-method=CLIENT-CERT? How to use a Custom Principal in a custom security realm (Glassfish)? Configure keystore for soap web service in Glassfish - How to? Glassfish web service authorization How to avoid principal propagation from worker-thread to GUI-thread How to configure glassfish 3.1 security file realm using Netbeans 7.1? How to avoid parameter tampering and interception in a web application? How to avoid code injection in web url How to allow that permission in Glassfish How to Avoid Storing Web.Config Connection String Passwords in TFS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM