Bug 976244 - docs "Use Role-Based Security In Servlets" has incorrect/incomplete example
Summary: docs "Use Role-Based Security In Servlets" has incorrect/incomplete example
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: GA
: EAP 6.1.1
Assignee: Russell Dickenson
QA Contact: Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-20 08:09 UTC by Tom Fonteyne
Modified: 2018-12-02 16:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Instance Name: Not Defined Build: CSProcessor Builder Version 1.8 Build Name: 11864, Development Guide-6.1-3 Build Date: 19-04-2013 15:35:25
Last Closed: 2013-09-16 20:29:59 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Tom Fonteyne 2013-06-20 08:09:17 UTC
Title: Use Role-Based Security In Servlets

Describe the issue:

https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.1/html-single/Development_Guide/index.html#Use_Role-Based_Security_In_Servlets

Procedure 14.2. Add Role-Based Security to Servlets, step 2
has incorrect xml

It needs to become:

<security-constraint>
	<display-name>Restrict access to role eap_admin</display-name>
	<web-resource-collection>
		<web-resource-name>Restrict access to role eap_admin</web-resource-name>
		<url-pattern>/DisplayOpResult/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>eap_admin</role-name>
	</auth-constraint>	
</security-constraint>	

<security-role>
  <role-name>eap_admin</role-name>
</security-role>

e.g. the security role is defined outside of the constraint.

The example is also missing a login-config element. Example:

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

A note should be added along these lines:

------
You need to specify the authentication method, which can be BASIC, FORM, DIGEST, CLIENT-CERT, SPNEGO. In this example we use BASIC for simplicity.
------

Lastly, it would be good to summarize the full web.xml:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

<display-name>Use Role-Based Security In Servlets</display-name>

<welcome-file-list>
  <welcome-file>/index.jsp</welcome-file>
</welcome-file-list>

<servlet-mapping>
    <servlet-name>DisplayOpResult</servlet-name>
    <url-pattern>/DisplayOpResult</url-pattern>
</servlet-mapping>

<security-constraint>
  <display-name>Restrict access to role eap_admin</display-name>
    <web-resource-collection>
      <web-resource-name>Restrict access to role eap_admin</web-resource-name>
      <url-pattern>/DisplayOpResult/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>eap_admin</role-name>
      </auth-constraint>
    </security-constraint>

    <security-role>
      <role-name>eap_admin</role-name>
    </security-role>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

</web-app>

Comment 1 Misty Stanley-Jones 2013-06-26 06:02:21 UTC
These changes have been made in revision 471360. Thanks!

Comment 3 Russell Dickenson 2013-08-26 03:38:11 UTC
The amended text is available at [1]. When validating the changes, confirm that you're viewing revision 1.0-58 or later.

[1] http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_JBoss_Enterprise_Application_Platform/6.1.1/html/Security_Guide/Use_Role-Based_Security_In_Servlets.html

Comment 4 Josef Cacek 2013-08-28 07:47:17 UTC
Verified on the stage (6.1, 6.1.1, 6.2).


Note You need to log in before you can comment on or make changes to this bug.