tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: restful web secruity for TOMEE
Date Mon, 12 Oct 2015 09:45:18 GMT
Hmm, form authentication is not linked to remote calls. There is not http
session with remote calls but form authentication relies on it.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>

2015-10-12 11:43 GMT+02:00 Arthur Portas <arthur.portas@itsector.pt>:

> In my case, i have at JVM level a  Custom Login Module with login config as
> '<auth-method>FORM</auth-method>'
> I'm not calling rest webservices, only remote EJB's. Once tried to use
> security annotations with no success,
> but changing to '<auth-method>BASIC</auth-method>' it worked.
>
> 2015-10-12 10:33 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:
>
> > Not sure what "JAAS form auth" means. JAAS is setup either at JVM level
> or
> > webapp level using JAASRealm but this is not directly linked the the form
> > itself, tomcat just reuses its security pipeline.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-10-12 11:30 GMT+02:00 Arthur Portas <arthur.portas@itsector.pt>:
> >
> > > Hum...i've read somewhere that security annotations in TomEE currently
> > only
> > > work with JAAS basic auth.
> > > I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working
> > with
> > > security annotations.
> > >
> > >
> > > 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:
> > >
> > > > Hi
> > > >
> > > > Maybe share a project to reproduce on github, this sounds like
> > something
> > > > which works.
> > > >
> > > > Tip: a maven project with tomee maven plugin ready to run is the best
> > way
> > > > to get a fast answer ;)
> > > >
> > > > Romain
> > > >
> > > > 2015-10-09 21:35 GMT+02:00 mark.cavender <
> mark.cavender@sbcglobal.net
> > >:
> > > >
> > > > > Thanks for the quick reply.  OK, I wrote a JAASLogin and am using
a
> > > > > JAASRealm.  The @RolesAllowed still isn't working in my REST
> service.
> > > > I'm
> > > > > wondering if I am confusing some things. My configuration is as
> > > follows:
> > > > >
> > > > > 1)  I have declared the RESTful service as:  @Stateless
> > > > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > > > @RolesAllowed({"poster"})
> > > > >
> > > > > 2)  in the web.xml I restricted the URL of the restful call to
> users
> > > with
> > > > > roles of viewer and poster, although I have also tried to do it as
> an
> > > > > asterick "*" as well.
> > > > >
> > > > > 3)  In the RESTful method, I can look at the request in the
> debugger
> > > and
> > > > > see
> > > > > that I only have the viewer role, but it still lets me in the
> method
> > > even
> > > > > though it is restricted to the poster role.  Do you see any flaws
> in
> > my
> > > > > logic?  Thanks in advance,
> > > > >
> > > > > Mark
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > View this message in context:
> > > > >
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message