geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1440) JAASJettyRealm not shared enough
Date Sun, 22 Jan 2006 18:22:06 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1440?page=comments#action_12363582 ] 

David Jencks commented on GERONIMO-1440:
----------------------------------------

Previous solution made it impossible for jetty to install the default principal/subject for
unsecured web apps (with no login config in the spec dd).  This patch installs a "non"authenticator
that always returns null, so the SecurityBeforeAfter can still work and install the defaultPrincipal
for unsecured resources.

Adding         modules/jetty/src/java/org/apache/geronimo/jetty/NonAuthenticator.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
Sending        modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java
Transmitting file data ...
Committed revision 371341.   

> JAASJettyRealm not shared enough
> --------------------------------
>
>          Key: GERONIMO-1440
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1440
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1

>
> There are a bunch of problems that lead back to missing JAASJettyRealms or multiple "equal"
JAASJettyRealms.
> A JAASJettyRealm has an (external) realm name from the web.xml and an internal geronimo
realm name and a map of user name to principal (which includes the Subject for that user)
for logged in users.  If you supply a (internal) security realm name, a JAASJettyRealm is
registered with the HTTPContext and used for authentication, reauthentication, etc.  If you
don't supply a security realm name, but there is a realm name, then jetty tries to get the
realm from the JettyServer.  Here are some problems:
> 1. we never register our JAASJettyRealms with JettyServer, so if you don't supply a security
realm name you eventually get NPEs if the app calls isUserInRole etc etc.
> lets assume we fix (1)
> 2. If you have 2 apps  A and B deployed with the same external realm name and internal
realm name, only the last to start is registered with  the JettyServer.  Any other app C using
the same realm name but no internal realm name will get the second realm.  If we did a x-context
dispatch from the first app A to C C will be using the realm from B.
> I think that there should only be one JAASJettyRealm per external realm name, based on
servlet spec 2.4 section 12.6.  If you disagree, please say why :-).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message