THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
web.xml includes the standard security constraints relating user roles to resources in the web application.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>employee</web-resource-name>
<url-pattern>/employee/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>manager</web-resource-name>
<url-pattern>/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>TimeReportRealm</realm-name>
<form-login-config>
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/login_error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>employee</role-name>
</security-role>
<security-role>
<role-name>manager</role-name>
</security-role>
<servlet>
<display-name>AddTimeRecordServlet</display-name>
<servlet-name>AddTimeRecordServlet</servlet-name>
<servlet-class>org.apache.geronimo.samples.timereport.web.AddTimeRecordServlet</servlet-class>
</servlet>
<servlet>
<display-name>AddEmployeeServlet</display-name>
<servlet-name>AddEmployeeServlet</servlet-name>
<servlet-class>org.apache.geronimo.samples.timereport.web.AddEmployeeServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AddTimeRecordServlet</servlet-name>
<url-pattern>/employee/add_timerecord</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AddEmployeeServlet</servlet-name>
<url-pattern>/manager/add_employee</url-pattern>
</servlet-mapping>
</web-app>
|
The Geronimo deployment plan ( plan.xml found after building the project at timereport/timereport-tomcat/target/resources/META-INF/plan.xml) includes the Geronimo specific security configuration including the security realm configuration and the principal-role mapping relating the principals from the security realm to the application roles defined above in web.xml This project uses two roles, manager and employee. There is a business rule that every manager is an employee. This is enforced through the principal-role mapping: both the EmployeeGroup and ManagerGroup imply the app specific employee role.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.-->
<!--$Rev: 497879 $ $Date: 2007-01-19 12:11:01 -0500 (Fri, 19 Jan 2007) $-->
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1">
<dep:environment xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2">
<dep:moduleId>
<dep:groupId>org.apache.geronimo.samples.javaee5</dep:groupId>
<dep:artifactId>timereport-tomcat</dep:artifactId>
<dep:version>3.0-beta-1</dep:version>
<dep:type>car</dep:type>
</dep:moduleId>
<dep:dependencies>
<dep:dependency>
<dep:groupId>org.apache.geronimo.samples</dep:groupId>
<dep:artifactId>sample-datasource</dep:artifactId>
<dep:version>3.0-beta-1</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
<dep:dependency>
<dep:groupId>org.apache.geronimo.configs</dep:groupId>
<dep:artifactId>jasper</dep:artifactId>
<dep:version>3.0-beta-1</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
<dep:dependency>
<dep:groupId>org.apache.geronimo.configs</dep:groupId>
<dep:artifactId>tomcat7</dep:artifactId>
<dep:version>3.0-beta-1</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
</dep:dependencies>
<dep:hidden-classes/>
<dep:non-overridable-classes/>
<dep:private-classes/>
</dep:environment>
<context-root>timereport-tomcat</context-root>
<security-realm-name>TimeReportRealm</security-realm-name>
<security>
<default-principal realm-name="TimeReportRealm">
<principal name="anonymous" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/>
</default-principal>
<role-mappings>
<role role-name="employee">
<realm realm-name="TimeReportRealm">
<principal name="EmployeeGroup" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
<realm realm-name="TimeReportRealm">
<principal name="ManagerGroup" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
</role>
<role role-name="manager">
<realm realm-name="TimeReportRealm">
<principal name="ManagerGroup" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</realm>
</role>
</role-mappings>
</security>
<gbean name="DBInitialization" class="org.apache.geronimo.connector.wrapper.DatabaseInitializationGBean">
<!--<attribute name="testSQL">select * from users</attribute>-->
<attribute name="path">TimeReportDB.sql</attribute>
<reference name="DataSource">
<name>SampleTxDatasource</name>
</reference>
</gbean>
<gbean name="TimeReportRealm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">TimeReportRealm</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.1">
<log:login-module control-flag="REQUIRED" wrap-principals="false">
<log:login-domain-name>TimeReportRealm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
<log:option name="dataSourceName">SampleNoTxDatasource</log:option>
<log:option name="userSelect">select userid, password from users where userid=?</log:option>
<log:option name="groupSelect">select userid, groupname from usergroups where userid=?</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</web-app>
|
To restrict access to the Add Employee functionality from Time Report page, programmatic authentication has beeen used as in indicated below.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
...
<BR>
<%if(request.isUserInRole("manager")){%>
<A href="../manager/">Add Employees</A>
<BR>
...
|
...