0 Replies Latest reply: Aug 27, 2010 5:01 PM by 3004 RSS

    Problem with authorization

    3004
      Hi,

      I've defined the following security constraints on my web.xml file:
      <security-constraint>
              <display-name>SecurityConstraint</display-name>
              <web-resource-collection>
                  <web-resource-name>protected</web-resource-name>
                  <url-pattern>*.xhtml</url-pattern>
              </web-resource-collection>
      
              <auth-constraint>
                  <role-name>administrator</role-name>
                  <role-name>superuser</role-name>
                  <role-name>user</role-name>
              </auth-constraint>
        
          </security-constraint>
      
          <login-config>
              <auth-method>FORM</auth-method>
              <realm-name>myJDBCRealm</realm-name>
              <form-login-config>
                  <form-login-page>/login.jsp</form-login-page>
                  <form-error-page>/error.jsp</form-error-page>
              </form-login-config>
          </login-config>
      
          <security-role>
              <role-name>administrator</role-name>
          </security-role>
      
          <security-role>
              <role-name>superuser</role-name>
          </security-role>
      
          <security-role>
              <role-name>user</role-name>
          </security-role>
      And my user is not associated with any of these roles, but still the application is allowing it to access the private resources.

      The following prints false:
      System.err.println(httpRequest.isUserInRole("administrator"));
      System.err.println(httpRequest.isUserInRole("superuser"));
      System.err.println(httpRequest.isUserInRole("user"));
      I'm running glassfish v3 and defined a JDBC Realm.

      Can someone help me with this issue?

      Kind regards,

      Carlos Ferreira