geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <...@toolazydogs.com>
Subject RE: svn commit: r111381 - in geronimo/branches/djencks/jetty-deployer1/trunk/modules: jetty-builder/src/java/org/apache/geronimo/jetty/deployment jetty/src/java/org/apache/geronimo/jetty jetty/src/test/org/apache/geronimo/jetty
Date Fri, 10 Dec 2004 06:13:12 GMT
These changes have nothing to do with the JACC authorization checks but are, instead, used
to decide if we must attempt to obtain an autenticated user, among other things.  I am merely
reusing the set of JACC permission sets to decide this.
 
 
Regards,
Alan

	-----Original Message----- 
	From: David Jencks [mailto:djencks@gluecode.com] 
	Sent: Thu 12/9/2004 4:36 PM 
	To: dev@geronimo.apache.org 
	Cc: 
	Subject: Re: svn commit: r111381 - in geronimo/branches/djencks/jetty-deployer1/trunk/modules:
jetty-builder/src/java/org/apache/geronimo/jetty/deployment jetty/src/java/org/apache/geronimo/jetty
jetty/src/test/org/apache/geronimo/jetty
	
	


	On Dec 9, 2004, at 5:38 AM, adc@apache.org wrote:
	> +        ServletHttpRequest servletHttpRequest = (ServletHttpRequest)
	> request.getWrapper();
	> +        WebResourcePermission resourcePermission = new
	> WebResourcePermission(servletHttpRequest);
	> +        WebUserDataPermission dataPermission = new
	> WebUserDataPermission(servletHttpRequest);
	> +        boolean unauthenticated =
	> !(checked.implies(resourcePermission) ||
	> checked.implies(dataPermission));
	
	I don't understand this line.  Why isn't it
	
	       boolean unauthenticated = unchecked.implies(resourcePermission)
	&& unchecked.implies(dataPermission);
	?
	
	I also don't understand why the login path is checked specially. 
	Shouldn't the login form have unchecked permissions so be taken care of
	by these other checks?
	
	
	> +        boolean forbidden =
	> excludedPermissions.implies(resourcePermission) ||
	> excludedPermissions.implies(dataPermission);
	>
	>          UserRealm realm = getRealm();
	
	also, the jacc spec says (4.1.1, p.36)
	The Servlet container must use one of the methods described in
	Section4.7,  “Checking AccessControlContext Independent Grants” to test
	if access to the  resource using the method and connection type
	encapsulated in the  WebUserDataPermission is permitted. If a
	SecurityException is thrown in the  permission determination, it must
	be caught, and the result of the determination  must be that access to
	the resource using the method and connection type is not  permitted. If
	access is not permitted, the request must be redirected as defined by 
	the Servlet Specification. If access is permitted, the request must be
	subjected to a  pre-dispatch decision.
	
	I think this means that the required order of events is:
	
	check UserData permissions
	
	if required, log in or say "forbidden"
	
	check WebResource permissions
	
	Currently we have
	
	if required, log in
	
	check UserData permissions
	
	check WebResource permissions.
	
	Am I missing something?
	
	thanks
	david jencks
	
	
	

Mime
View raw message