geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Updated: (GERONIMO-1425) access to unprotected web resource after login does not use correct Subject
Date Wed, 19 Apr 2006 08:46:20 GMT
     [ ]

David Jencks updated GERONIMO-1425:

    Fix Version: 1.1

patch ported to 1.1 in rev 395178

> access to unprotected web resource after login does not use correct Subject
> ---------------------------------------------------------------------------
>          Key: GERONIMO-1425
>          URL:
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: Tomcat, web
>     Versions: 1.2
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.2, 1.1

> This applies to both jetty and tomcat.
> Currently we are installing the correct authenticated Subject in ContextManager only
when you access a protected resource.  For any access to unprotected resources, even after
logon, we are installing the default Subject in the ContextManager.  This appears to violate
this from servlet spec 2.4 12.7:
> A security identity, or principal, must always be provided for use in a call to an enterprise
bean. The default mode in calls to enterprise beans from web applications is for the security
identity of a web user to be propagated to the EJBTM container.
> After logon, the security identity of the user is known, whether or not they are visiting
a protected resource.  Therefore the default is to use this identity in ejb calls, which for
us requires putting the authenticated subject in the ContextManager.
> Alan Cabrera has some doubts that this spec language actually requires us to implement
the default behavior stated here, and I agree that a strict reading does not seem to require
this, but IIUC we agree that we should implement this behavior anyway.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message