geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: [jira] Created: (GERONIMO-1425) access to unprotected web resource after login does not use correct Subject
Date Fri, 06 Jan 2006 21:25:46 GMT

On Jan 6, 2006, at 1:14 PM, Aaron Mulder wrote:

> I think it would be nice to behave like you're describing, but I
> believe that the spec does not require it.  That is, if the default
> principal is "anonymous" and the current user is "aaron", I think it's
> legit to have protected pages use the "aaron" subject and
> non-protected pages use the "anonymous" subject (I'm pretty sure some
> other servers work that way), but it would be nicer if both types of
> pages used the "aaron" subject until that session expired or the user
> logs out.

Can you point to another server that works this way?  I think the  
spec is needlessly unclear but does (barely) require the behavior I'm  
proposing: alan is not quite so sure.  I'd also be interested in an  
explanation of how to read the spec so our current behavior is more  
clearly correct:-)

david jencks

> Aaron
> On 1/6/06, David Jencks (JIRA) <> wrote:
>> access to unprotected web resource after login does not use  
>> correct Subject
>> --------------------------------------------------------------------- 
>> ------
>>          Key: GERONIMO-1425
>>          URL:
>>      Project: Geronimo
>>         Type: Bug
>>   Components: Tomcat, web
>>     Versions: 1.1
>>     Reporter: David Jencks
>>  Assigned to: David Jencks
>>      Fix For: 1.1
>> This applies to both jetty and tomcat.
>> Currently we are installing the correct authenticated Subject in  
>> ContextManager only when you access a protected resource.  For any  
>> access to unprotected resources, even after logon, we are  
>> installing the default Subject in the ContextManager.  This  
>> appears to violate this from servlet spec 2.4 12.7:
>> A security identity, or principal, must always be provided for use  
>> in a call to an enterprise bean. The default mode in calls to  
>> enterprise beans from web applications is for the security  
>> identity of a web user to be propagated to the EJBTM container.
>> After logon, the security identity of the user is known, whether  
>> or not they are visiting a protected resource.  Therefore the  
>> default is to use this identity in ejb calls, which for us  
>> requires putting the authenticated subject in the ContextManager.
>> Alan Cabrera has some doubts that this spec language actually  
>> requires us to implement the default behavior stated here, and I  
>> agree that a strict reading does not seem to require this, but  
>> IIUC we agree that we should implement this behavior anyway.
>> --
>> This message is automatically generated by JIRA.
>> -
>> If you think it was sent incorrectly contact one of the  
>> administrators:
>> -
>> For more information on JIRA, see:

View raw message