tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arthur Portas <arthur.por...@itsector.pt>
Subject Re: restful web secruity for TOMEE
Date Mon, 12 Oct 2015 09:50:34 GMT
Awesome answer! Thanks for making it clear!

2015-10-12 10:45 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:

> Hmm, form authentication is not linked to remote calls. There is not http
> session with remote calls but form authentication relies on it.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-10-12 11:43 GMT+02:00 Arthur Portas <arthur.portas@itsector.pt>:
>
> > In my case, i have at JVM level a  Custom Login Module with login config
> as
> > '<auth-method>FORM</auth-method>'
> > I'm not calling rest webservices, only remote EJB's. Once tried to use
> > security annotations with no success,
> > but changing to '<auth-method>BASIC</auth-method>' it worked.
> >
> > 2015-10-12 10:33 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:
> >
> > > Not sure what "JAAS form auth" means. JAAS is setup either at JVM level
> > or
> > > webapp level using JAASRealm but this is not directly linked the the
> form
> > > itself, tomcat just reuses its security pipeline.
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > <http://www.tomitribe.com>
> > >
> > > 2015-10-12 11:30 GMT+02:00 Arthur Portas <arthur.portas@itsector.pt>:
> > >
> > > > Hum...i've read somewhere that security annotations in TomEE
> currently
> > > only
> > > > work with JAAS basic auth.
> > > > I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working
> > > with
> > > > security annotations.
> > > >
> > > >
> > > > 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com
> >:
> > > >
> > > > > Hi
> > > > >
> > > > > Maybe share a project to reproduce on github, this sounds like
> > > something
> > > > > which works.
> > > > >
> > > > > Tip: a maven project with tomee maven plugin ready to run is the
> best
> > > way
> > > > > to get a fast answer ;)
> > > > >
> > > > > Romain
> > > > >
> > > > > 2015-10-09 21:35 GMT+02:00 mark.cavender <
> > mark.cavender@sbcglobal.net
> > > >:
> > > > >
> > > > > > Thanks for the quick reply.  OK, I wrote a JAASLogin and am
> using a
> > > > > > JAASRealm.  The @RolesAllowed still isn't working in my REST
> > service.
> > > > > I'm
> > > > > > wondering if I am confusing some things. My configuration is
as
> > > > follows:
> > > > > >
> > > > > > 1)  I have declared the RESTful service as:  @Stateless
> > > > > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > > > > @RolesAllowed({"poster"})
> > > > > >
> > > > > > 2)  in the web.xml I restricted the URL of the restful call
to
> > users
> > > > with
> > > > > > roles of viewer and poster, although I have also tried to do
it
> as
> > an
> > > > > > asterick "*" as well.
> > > > > >
> > > > > > 3)  In the RESTful method, I can look at the request in the
> > debugger
> > > > and
> > > > > > see
> > > > > > that I only have the viewer role, but it still lets me in the
> > method
> > > > even
> > > > > > though it is restricted to the poster role.  Do you see any
flaws
> > in
> > > my
> > > > > > logic?  Thanks in advance,
> > > > > >
> > > > > > Mark
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > View this message in context:
> > > > > >
> > > > >
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > > > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message