geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1425) access to unprotected web resource after login does not use correct Subject
Date Mon, 09 Jan 2006 10:21:24 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1425?page=comments#action_12362192 ] 

David Jencks commented on GERONIMO-1425:
----------------------------------------

I beiieve this is fixed for jetty: the problem I had with Jetspeed is now solved. (also fixed
GERONIMO-1440)

Sending        modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainer.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainerImpl.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
Transmitting file data ......
Committed revision 367263. 

> access to unprotected web resource after login does not use correct Subject
> ---------------------------------------------------------------------------
>
>          Key: GERONIMO-1425
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1425
>      Project: Geronimo
>         Type: Bug
>   Components: Tomcat, web
>     Versions: 1.1
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1

>
> This applies to both jetty and tomcat.
> Currently we are installing the correct authenticated Subject in ContextManager only
when you access a protected resource.  For any access to unprotected resources, even after
logon, we are installing the default Subject in the ContextManager.  This appears to violate
this from servlet spec 2.4 12.7:
> A security identity, or principal, must always be provided for use in a call to an enterprise
bean. The default mode in calls to enterprise beans from web applications is for the security
identity of a web user to be propagated to the EJBTM container.
> After logon, the security identity of the user is known, whether or not they are visiting
a protected resource.  Therefore the default is to use this identity in ejb calls, which for
us requires putting the authenticated subject in the ContextManager.
> Alan Cabrera has some doubts that this spec language actually requires us to implement
the default behavior stated here, and I agree that a strict reading does not seem to require
this, but IIUC we agree that we should implement this behavior anyway.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message