tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: restful web secruity for TOMEE
Date Mon, 12 Oct 2015 09:33:19 GMT
Not sure what "JAAS form auth" means. JAAS is setup either at JVM level or
webapp level using JAASRealm but this is not directly linked the the form
itself, tomcat just reuses its security pipeline.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-10-12 11:30 GMT+02:00 Arthur Portas <arthur.portas@itsector.pt>:

> Hum...i've read somewhere that security annotations in TomEE currently only
> work with JAAS basic auth.
> I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working with
> security annotations.
>
>
> 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:
>
> > Hi
> >
> > Maybe share a project to reproduce on github, this sounds like something
> > which works.
> >
> > Tip: a maven project with tomee maven plugin ready to run is the best way
> > to get a fast answer ;)
> >
> > Romain
> >
> > 2015-10-09 21:35 GMT+02:00 mark.cavender <mark.cavender@sbcglobal.net>:
> >
> > > Thanks for the quick reply.  OK, I wrote a JAASLogin and am using a
> > > JAASRealm.  The @RolesAllowed still isn't working in my REST service.
> > I'm
> > > wondering if I am confusing some things. My configuration is as
> follows:
> > >
> > > 1)  I have declared the RESTful service as:  @Stateless
> > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > @RolesAllowed({"poster"})
> > >
> > > 2)  in the web.xml I restricted the URL of the restful call to users
> with
> > > roles of viewer and poster, although I have also tried to do it as an
> > > asterick "*" as well.
> > >
> > > 3)  In the RESTful method, I can look at the request in the debugger
> and
> > > see
> > > that I only have the viewer role, but it still lets me in the method
> even
> > > though it is restricted to the poster role.  Do you see any flaws in my
> > > logic?  Thanks in advance,
> > >
> > > Mark
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message