Bug 976244 - docs "Use Role-Based Security In Servlets" has incorrect/incomplete example
docs "Use Role-Based Security In Servlets" has incorrect/incomplete example
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity unspecified
: GA
: EAP 6.1.1
Assigned To: Russell Dickenson
Russell Dickenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-20 04:09 EDT by Tom Fonteyne
Modified: 2014-08-14 11:24 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Instance Name: Not Defined Build: CSProcessor Builder Version 1.8 Build Name: 11864, Development Guide-6.1-3 Build Date: 19-04-2013 15:35:25
Last Closed: 2013-09-16 16:29:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom Fonteyne 2013-06-20 04:09:17 EDT
Title: Use Role-Based Security In Servlets

Describe the issue:

https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.1/html-single/Development_Guide/index.html#Use_Role-Based_Security_In_Servlets

Procedure 14.2. Add Role-Based Security to Servlets, step 2
has incorrect xml

It needs to become:

<security-constraint>
	<display-name>Restrict access to role eap_admin</display-name>
	<web-resource-collection>
		<web-resource-name>Restrict access to role eap_admin</web-resource-name>
		<url-pattern>/DisplayOpResult/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>eap_admin</role-name>
	</auth-constraint>	
</security-constraint>	

<security-role>
  <role-name>eap_admin</role-name>
</security-role>

e.g. the security role is defined outside of the constraint.

The example is also missing a login-config element. Example:

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

A note should be added along these lines:

------
You need to specify the authentication method, which can be BASIC, FORM, DIGEST, CLIENT-CERT, SPNEGO. In this example we use BASIC for simplicity.
------

Lastly, it would be good to summarize the full web.xml:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

<display-name>Use Role-Based Security In Servlets</display-name>

<welcome-file-list>
  <welcome-file>/index.jsp</welcome-file>
</welcome-file-list>

<servlet-mapping>
    <servlet-name>DisplayOpResult</servlet-name>
    <url-pattern>/DisplayOpResult</url-pattern>
</servlet-mapping>

<security-constraint>
  <display-name>Restrict access to role eap_admin</display-name>
    <web-resource-collection>
      <web-resource-name>Restrict access to role eap_admin</web-resource-name>
      <url-pattern>/DisplayOpResult/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>eap_admin</role-name>
      </auth-constraint>
    </security-constraint>

    <security-role>
      <role-name>eap_admin</role-name>
    </security-role>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

</web-app>
Comment 1 Misty Stanley-Jones 2013-06-26 02:02:21 EDT
These changes have been made in revision 471360. Thanks!
Comment 3 Russell Dickenson 2013-08-25 23:38:11 EDT
The amended text is available at [1]. When validating the changes, confirm that you're viewing revision 1.0-58 or later.

[1] http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_JBoss_Enterprise_Application_Platform/6.1.1/html/Security_Guide/Use_Role-Based_Security_In_Servlets.html
Comment 4 Josef Cacek 2013-08-28 03:47:17 EDT
Verified on the stage (6.1, 6.1.1, 6.2).

Note You need to log in before you can comment on or make changes to this bug.