geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeppe Sommer (Trifork)" <>
Subject Re: Question about web app login, user principal, and authentication
Date Fri, 06 Jan 2006 11:05:08 GMT
The servlet 2.4 spec, section 12.7 states:

"A security identity, or principal, must always be provided for use in a 
call to an enterprise bean. The default mode in calls to enterprise 
beans from web applications is for the security identity of a web user 
to be propagated to the EJBTM container.

In other scenarios, web containers are required to allow web users that 
are not known to the web container or to the EJBTM container to make 
calls: "

...then the spec goes on, describing scenarios where the user is not 
known to the web container - but this is not the case here, since the 
scenario is that the user is logged in.

That is, if you are logged in (= the user is known), the web container 
must use your login principal in calls to the ejb container. Whether the 
current request is visiting a protected or unprotected resource is 


David Jencks wrote:

> i've been getting very confused by some behavior related to being  
> logged in and authentication while working with jetspeed, and I hope  
> someone can shed some light on what should be happening.
> Lets suppose you have a web app with some secured resources and some  
> unsecured resources.
> If you start by accessing the unsecured resources, there is no doubt,  
> you have not authenticated, getUserPrincipal() returns null, and you  
> would get the DefaultSubject from ContextManager.
> Now if you access a secured resource, you log in, getUserPrincipal()  
> returns a non-null principal, and you get the actual Subject from  
> ContextManager during the call to the secured resource.
> Now if you go back and access an unsecured resource while still  
> logged in, the servlet spec says you should still get the logged-in  
> getUserPrincipal value, but ContextManager returns the  
> DefaultSubject.  So in particular calls to say an ejb will be based  
> on the defaultSubject, not the logged in Subject, even though you are  
> logged in.
> Is this correct?  Or, should any access to a resource while logged in  
> result in the ContextManager being set to the logged in subject?   
> Spec references would be very welcome :-)
> thanks
> david jencks

View raw message