views:

568

answers:

2

Hi,

I'm currently trying out the JDBCRealm in Glasshfish v3: I have 2 roles USER and ADMIN.

I have a LoginServlet that redirects to a url (say /admin or /user) based on the request.isUserInRole("ADMIN") method.

Problem is when a ADMIN is logged in it returns true, so gets redirected to /admin but he can also access the /user. When a USER is logged in request.isUserInRole("ADMIN") returns true also. request.isUserInRole("NONEXISTINGROLE") returns false for both.

Eg:

request.isUserInRole("ADMIN") +" "+ request.isUserInRole("USER")+" "+ request.isUserInRole("NONEXISTINGROLE")

for loggedin USER: returns true true false

for loggedin ADMIN returns true true false

This is a part of my web.xml:

<security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
        <web-resource-name>adminProtected</web-resource-name>
        <description>Administrator restricted area</description>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Constraint2</display-name>
    <web-resource-collection>
        <web-resource-name>userProtected</web-resource-name>
        <description>User restricted area</description>
        <url-pattern>/user/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USER</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Constraint3</display-name>
    <web-resource-collection>
        <web-resource-name>LoginServlet</web-resource-name>
        <description>All restricted area</description>
        <url-pattern>/LoginServlet</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USER</role-name>
        <role-name>ADMIN</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>securityJDBC</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/login.jsf</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <description></description>

    <role-name>USER</role-name>
</security-role>
<security-role>
    <description></description>
    <role-name>ADMIN</role-name>
</security-role>
<servlet>
    <description></description>
    <display-name>LoginServlet</display-name>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>controllers.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>LoginServlet</servlet-name>
    <url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

And my sun-web.xml:

    <security-role-mapping>
    <role-name>USER</role-name>
    <group-name>USER</group-name>
</security-role-mapping>
<security-role-mapping>
    <role-name>ADMIN</role-name>
    <group-name>ADMIN</group-name>
</security-role-mapping>

Thank you!

A: 

Your security mappings look fine at first glance. How about your user mappings? It look like that the same username is mapped on both the user and admin roles.

BalusC
I have 2 tables:SecurityGroup:id;groupId;userid;1;ADMIN;12;USER;2securityUser;id;password;userid;employer1;21232f297a57a5a743894a0e4a801fc3;a;12;ee11cbb19052e40b07aac0ca060c23ee;u;2
Michael Bavin
Glassfish Realm properties:Jaas Context: jdbcRealmUser table: securityuserUser name column: useridPassword Column: passwordGroup Table: securitygroupGroup Name Column: groupId
Michael Bavin
I found something: If i set the Realm setting "Assign Groups" to USER,ADMIN I get the original problem. If u set it to empty I can login but have access denied on all security constraints...
Michael Bavin
+1  A: 

Fixed it by making sure the Realm setting "Assign Groups" is empty. Glassfish will load them from the Group Table.

Michael Bavin