geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-1012) Tomcat integration does not set a subject in an unsecured web module in a secured ejb application
Date Wed, 14 Sep 2005 20:01:55 GMT
Tomcat integration does not set a subject in an unsecured web module in a secured ejb application
-------------------------------------------------------------------------------------------------

         Key: GERONIMO-1012
         URL: http://issues.apache.org/jira/browse/GERONIMO-1012
     Project: Geronimo
        Type: Bug
  Components: Tomcat  
    Versions: 1.0-M5    
    Reporter: David Jencks
 Assigned to: David Jencks 
     Fix For: 1.0-M5


In the jetty integration, in SecurityContextBeforeAfter, a request for an unsecured page results
in the default subject being set in the ContextManager (line 288).  This provides a way to
call secured ejbs and also provides a source for credentials for calling secured web services.

In tomcat, we don't do anything like that: in particular there is no source of credentials
for secured web services.  

I think the simplest solution is to, if the app is secured, to add another valve after the
standard tomcat security valve, that sets the default subject into the ContextManager if none
is there already.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message