...
web.xml includes the standard security constraints relating user roles to resources in the web application.
Code Block | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>employee</web-resource-name> <url-pattern>/employee/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>employee</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>manager</web-resource-name> <url-pattern>/manager/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>TimeReportRealm</realm-name> <form-login-config> <form-login-page>/login/login.jsp</form-login-page> <form-error-page>/login/login_error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>employee</role-name> </security-role> <security-role> <role-name>manager</role-name> </security-role> <servlet> <display-name>AddTimeRecordServlet</display-name> <servlet-name>AddTimeRecordServlet</servlet-name> <servlet-class>org.apache.geronimo.samples.timereport.web.AddTimeRecordServlet</servlet-class> </servlet> <servlet> <display-name>AddEmployeeServlet</display-name> <servlet-name>AddEmployeeServlet</servlet-name> <servlet-class>org.apache.geronimo.samples.timereport.web.AddEmployeeServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>AddTimeRecordServlet</servlet-name> <url-pattern>/employee/add_timerecord</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AddEmployeeServlet</servlet-name> <url-pattern>/manager/add_employee</url-pattern> </servlet-mapping> </web-app> |
The Geronimo deployment plan ( plan.xml found after building the project at timereport/timereport-tomcat/target/resources/META-INF/plan.xml) includes the Geronimo specific security configuration including the security realm configuration and the principal-role mapping relating the principals from the security realm to the application roles defined above in web.xml This project uses two roles, manager and employee. There is a business rule that every manager is an employee. This is enforced through the principal-role mapping: both the EmployeeGroup and ManagerGroup imply the app specific employee role.
Code Block | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
<?xml version="1.0" encoding="UTF-8"?> <!--Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.--> <!--$Rev: 497879 $ $Date: 2007-01-19 12:11:01 -0500 (Fri, 19 Jan 2007) $--> <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"> <dep:environment xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"> <dep:moduleId> <dep:groupId>org.apache.geronimo.samples.javaee5</dep:groupId> <dep:artifactId>timereport-tomcat</dep:artifactId> <dep:version>3.0-beta-1</dep:version> <dep:type>car</dep:type> </dep:moduleId> <dep:dependencies> <dep:dependency> <dep:groupId>org.apache.geronimo.samples</dep:groupId> <dep:artifactId>sample-datasource</dep:artifactId> <dep:version>3.0-beta-1</dep:version> <dep:type>car</dep:type> </dep:dependency> <dep:dependency> <dep:groupId>org.apache.geronimo.configs</dep:groupId> <dep:artifactId>jasper</dep:artifactId> <dep:version>3.0-beta-1</dep:version> <dep:type>car</dep:type> </dep:dependency> <dep:dependency> <dep:groupId>org.apache.geronimo.configs</dep:groupId> <dep:artifactId>tomcat7</dep:artifactId> <dep:version>3.0-beta-1</dep:version> <dep:type>car</dep:type> </dep:dependency> </dep:dependencies> <dep:hidden-classes/> <dep:non-overridable-classes/> <dep:private-classes/> </dep:environment> <context-root>timereport-tomcat</context-root> <security-realm-name>TimeReportRealm</security-realm-name> <security> <default-principal realm-name="TimeReportRealm"> <principal name="anonymous" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/> </default-principal> <role-mappings> <role role-name="employee"> <realm realm-name="TimeReportRealm"> <principal name="EmployeeGroup" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> </realm> <realm realm-name="TimeReportRealm"> <principal name="ManagerGroup" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> </realm> </role> <role role-name="manager"> <realm realm-name="TimeReportRealm"> <principal name="ManagerGroup" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> </realm> </role> </role-mappings> </security> <gbean name="DBInitialization" class="org.apache.geronimo.connector.wrapper.DatabaseInitializationGBean"> <!--<attribute name="testSQL">select * from users</attribute>--> <attribute name="path">TimeReportDB.sql</attribute> <reference name="DataSource"> <name>SampleTxDatasource</name> </reference> </gbean> <gbean name="TimeReportRealm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"> <attribute name="realmName">TimeReportRealm</attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <xml-reference name="LoginModuleConfiguration"> <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.1"> <log:login-module control-flag="REQUIRED" wrap-principals="false"> <log:login-domain-name>TimeReportRealm</log:login-domain-name> <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class> <log:option name="dataSourceName">SampleNoTxDatasource</log:option> <log:option name="userSelect">select userid, password from users where userid=?</log:option> <log:option name="groupSelect">select userid, groupname from usergroups where userid=?</log:option> </log:login-module> </log:login-config> </xml-reference> </gbean> </web-app> |
To restrict access to the Add Employee functionality from Time Report page, programmatic authentication has beeen used as in indicated below.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
... <BR> <%if(request.isUserInRole("manager")){%> <A href="../manager/">Add Employees</A> <BR> ... |
...
To test the sample application open a browser and type http://localhost:8080/timereport. It will forward to the Welcome page of the application.
...