geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Question about web app login, user principal, and authentication
Date Fri, 06 Jan 2006 08:15:39 GMT
i've been getting very confused by some behavior related to being  
logged in and authentication while working with jetspeed, and I hope  
someone can shed some light on what should be happening.

Lets suppose you have a web app with some secured resources and some  
unsecured resources.

If you start by accessing the unsecured resources, there is no doubt,  
you have not authenticated, getUserPrincipal() returns null, and you  
would get the DefaultSubject from ContextManager.

Now if you access a secured resource, you log in, getUserPrincipal()  
returns a non-null principal, and you get the actual Subject from  
ContextManager during the call to the secured resource.

Now if you go back and access an unsecured resource while still  
logged in, the servlet spec says you should still get the logged-in  
getUserPrincipal value, but ContextManager returns the  
DefaultSubject.  So in particular calls to say an ejb will be based  
on the defaultSubject, not the logged in Subject, even though you are  
logged in.

Is this correct?  Or, should any access to a resource while logged in  
result in the ContextManager being set to the logged in subject?   
Spec references would be very welcome :-)

david jencks

View raw message