geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <ammul...@alumni.princeton.edu>
Subject Re: [jira] Created: (GERONIMO-1425) access to unprotected web resource after login does not use correct Subject
Date Fri, 06 Jan 2006 21:14:01 GMT
I think it would be nice to behave like you're describing, but I
believe that the spec does not require it.  That is, if the default
principal is "anonymous" and the current user is "aaron", I think it's
legit to have protected pages use the "aaron" subject and
non-protected pages use the "anonymous" subject (I'm pretty sure some
other servers work that way), but it would be nicer if both types of
pages used the "aaron" subject until that session expired or the user
logs out.

Aaron

On 1/6/06, David Jencks (JIRA) <dev@geronimo.apache.org> wrote:
> access to unprotected web resource after login does not use correct Subject
> ---------------------------------------------------------------------------
>
>          Key: GERONIMO-1425
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1425
>      Project: Geronimo
>         Type: Bug
>   Components: Tomcat, web
>     Versions: 1.1
>     Reporter: David Jencks
>  Assigned to: David Jencks
>      Fix For: 1.1
>
>
> This applies to both jetty and tomcat.
>
> Currently we are installing the correct authenticated Subject in ContextManager only
when you access a protected resource.  For any access to unprotected resources, even after
logon, we are installing the default Subject in the ContextManager.  This appears to violate
this from servlet spec 2.4 12.7:
>
> A security identity, or principal, must always be provided for use in a call to an enterprise
bean. The default mode in calls to enterprise beans from web applications is for the security
identity of a web user to be propagated to the EJBTM container.
>
> After logon, the security identity of the user is known, whether or not they are visiting
a protected resource.  Therefore the default is to use this identity in ejb calls, which for
us requires putting the authenticated subject in the ContextManager.
>
> Alan Cabrera has some doubts that this spec language actually requires us to implement
the default behavior stated here, and I agree that a strict reading does not seem to require
this, but IIUC we agree that we should implement this behavior anyway.
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the administrators:
>    http://issues.apache.org/jira/secure/Administrators.jspa
> -
> For more information on JIRA, see:
>    http://www.atlassian.com/software/jira
>
>

Mime
View raw message