Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 49363 invoked from network); 9 Jan 2006 10:17:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 9 Jan 2006 10:17:58 -0000 Received: (qmail 85800 invoked by uid 500); 9 Jan 2006 10:17:55 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 85749 invoked by uid 500); 9 Jan 2006 10:17:54 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 85737 invoked by uid 99); 9 Jan 2006 10:17:54 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jan 2006 02:17:54 -0800 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id E9B731B6 for ; Mon, 9 Jan 2006 11:17:32 +0100 (CET) Message-ID: <2144123344.1136801852955.JavaMail.jira@ajax.apache.org> Date: Mon, 9 Jan 2006 11:17:32 +0100 (CET) From: "David Jencks (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Created: (GERONIMO-1440) JAASJettyRealm not shared enough MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N JAASJettyRealm not shared enough -------------------------------- Key: GERONIMO-1440 URL: http://issues.apache.org/jira/browse/GERONIMO-1440 Project: Geronimo Type: Bug Components: web Versions: 1.0 Reporter: David Jencks Assigned to: David Jencks Fix For: 1.1 There are a bunch of problems that lead back to missing JAASJettyRealms or multiple "equal" JAASJettyRealms. A JAASJettyRealm has an (external) realm name from the web.xml and an internal geronimo realm name and a map of user name to principal (which includes the Subject for that user) for logged in users. If you supply a (internal) security realm name, a JAASJettyRealm is registered with the HTTPContext and used for authentication, reauthentication, etc. If you don't supply a security realm name, but there is a realm name, then jetty tries to get the realm from the JettyServer. Here are some problems: 1. we never register our JAASJettyRealms with JettyServer, so if you don't supply a security realm name you eventually get NPEs if the app calls isUserInRole etc etc. lets assume we fix (1) 2. If you have 2 apps A and B deployed with the same external realm name and internal realm name, only the last to start is registered with the JettyServer. Any other app C using the same realm name but no internal realm name will get the second realm. If we did a x-context dispatch from the first app A to C C will be using the realm from B. I think that there should only be one JAASJettyRealm per external realm name, based on servlet spec 2.4 section 12.6. If you disagree, please say why :-). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira