tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arthur Portas <arthur.por...@itsector.pt>
Subject Re: restful web secruity for TOMEE
Date Mon, 12 Oct 2015 09:43:25 GMT
In my case, i have at JVM level a  Custom Login Module with login config as
'<auth-method>FORM</auth-method>'
I'm not calling rest webservices, only remote EJB's. Once tried to use
security annotations with no success,
but changing to '<auth-method>BASIC</auth-method>' it worked.

2015-10-12 10:33 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:

> Not sure what "JAAS form auth" means. JAAS is setup either at JVM level or
> webapp level using JAASRealm but this is not directly linked the the form
> itself, tomcat just reuses its security pipeline.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-10-12 11:30 GMT+02:00 Arthur Portas <arthur.portas@itsector.pt>:
>
> > Hum...i've read somewhere that security annotations in TomEE currently
> only
> > work with JAAS basic auth.
> > I'm using TomEE 1.7.2 and JAAS Form auth and could not get it working
> with
> > security annotations.
> >
> >
> > 2015-10-09 23:14 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:
> >
> > > Hi
> > >
> > > Maybe share a project to reproduce on github, this sounds like
> something
> > > which works.
> > >
> > > Tip: a maven project with tomee maven plugin ready to run is the best
> way
> > > to get a fast answer ;)
> > >
> > > Romain
> > >
> > > 2015-10-09 21:35 GMT+02:00 mark.cavender <mark.cavender@sbcglobal.net
> >:
> > >
> > > > Thanks for the quick reply.  OK, I wrote a JAASLogin and am using a
> > > > JAASRealm.  The @RolesAllowed still isn't working in my REST service.
> > > I'm
> > > > wondering if I am confusing some things. My configuration is as
> > follows:
> > > >
> > > > 1)  I have declared the RESTful service as:  @Stateless
> > > > @DeclareRoles({"viewer","poster"}) and declared a method as
> > > > @RolesAllowed({"poster"})
> > > >
> > > > 2)  in the web.xml I restricted the URL of the restful call to users
> > with
> > > > roles of viewer and poster, although I have also tried to do it as an
> > > > asterick "*" as well.
> > > >
> > > > 3)  In the RESTful method, I can look at the request in the debugger
> > and
> > > > see
> > > > that I only have the viewer role, but it still lets me in the method
> > even
> > > > though it is restricted to the poster role.  Do you see any flaws in
> my
> > > > logic?  Thanks in advance,
> > > >
> > > > Mark
> > > >
> > > >
> > > >
> > > > --
> > > > View this message in context:
> > > >
> > >
> >
> http://tomee-openejb.979440.n4.nabble.com/restful-web-secruity-for-TOMEE-tp4676451p4676462.html
> > > > Sent from the TomEE Users mailing list archive at Nabble.com.
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message