geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-1440) JAASJettyRealm not shared enough
Date Mon, 09 Jan 2006 10:17:32 GMT
JAASJettyRealm not shared enough
--------------------------------

         Key: GERONIMO-1440
         URL: http://issues.apache.org/jira/browse/GERONIMO-1440
     Project: Geronimo
        Type: Bug
  Components: web  
    Versions: 1.0    
    Reporter: David Jencks
 Assigned to: David Jencks 
     Fix For: 1.1


There are a bunch of problems that lead back to missing JAASJettyRealms or multiple "equal"
JAASJettyRealms.

A JAASJettyRealm has an (external) realm name from the web.xml and an internal geronimo realm
name and a map of user name to principal (which includes the Subject for that user) for logged
in users.  If you supply a (internal) security realm name, a JAASJettyRealm is registered
with the HTTPContext and used for authentication, reauthentication, etc.  If you don't supply
a security realm name, but there is a realm name, then jetty tries to get the realm from the
JettyServer.  Here are some problems:

1. we never register our JAASJettyRealms with JettyServer, so if you don't supply a security
realm name you eventually get NPEs if the app calls isUserInRole etc etc.

lets assume we fix (1)
2. If you have 2 apps  A and B deployed with the same external realm name and internal realm
name, only the last to start is registered with  the JettyServer.  Any other app C using the
same realm name but no internal realm name will get the second realm.  If we did a x-context
dispatch from the first app A to C C will be using the realm from B.

I think that there should only be one JAASJettyRealm per external realm name, based on servlet
spec 2.4 section 12.6.  If you disagree, please say why :-).



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message