request.isUserInRole(“ADMIN”) also returns true for user not in role ADMIN but role USER
-
21-09-2019 - |
Question
I'm currently trying out the JDBCRealm in Glasshfish v3: I have 2 roles USER and ADMIN.
I have a LoginServlet that redirects to a url (say /admin or /user) based on the request.isUserInRole("ADMIN") method.
Problem is when a ADMIN is logged in it returns true, so gets redirected to /admin but he can also access the /user. When a USER is logged in request.isUserInRole("ADMIN") returns true also. request.isUserInRole("NONEXISTINGROLE") returns false for both.
Eg:
request.isUserInRole("ADMIN") +" "+ request.isUserInRole("USER")+" "+ request.isUserInRole("NONEXISTINGROLE")
for loggedin USER: returns true true false
for loggedin ADMIN returns true true false
This is a part of my web.xml:
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>adminProtected</web-resource-name>
<description>Administrator restricted area</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint2</display-name>
<web-resource-collection>
<web-resource-name>userProtected</web-resource-name>
<description>User restricted area</description>
<url-pattern>/user/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint3</display-name>
<web-resource-collection>
<web-resource-name>LoginServlet</web-resource-name>
<description>All restricted area</description>
<url-pattern>/LoginServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>securityJDBC</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description></description>
<role-name>USER</role-name>
</security-role>
<security-role>
<description></description>
<role-name>ADMIN</role-name>
</security-role>
<servlet>
<description></description>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>controllers.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
And my sun-web.xml:
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
Thank you!
Solution
Fixed it by making sure the Realm setting "Assign Groups" is empty. Glassfish will load them from the Group Table.
OTHER TIPS
Your security mappings look fine at first glance. How about your user mappings? It look like that the same username is mapped on both the user and admin roles.