geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Hogstrom (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-1425) access to unprotected web resource after login does not use correct Subject
Date Thu, 08 Jun 2006 17:46:31 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-1425?page=all ]

Matt Hogstrom updated GERONIMO-1425:
------------------------------------

    Fix Version: Verification Required
                     (was: 1.2)
                     (was: 1.1)

> access to unprotected web resource after login does not use correct Subject
> ---------------------------------------------------------------------------
>
>          Key: GERONIMO-1425
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1425
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: Tomcat, web
>     Versions: 1.2
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: Verification Required

>
> This applies to both jetty and tomcat.
> Currently we are installing the correct authenticated Subject in ContextManager only
when you access a protected resource.  For any access to unprotected resources, even after
logon, we are installing the default Subject in the ContextManager.  This appears to violate
this from servlet spec 2.4 12.7:
> A security identity, or principal, must always be provided for use in a call to an enterprise
bean. The default mode in calls to enterprise beans from web applications is for the security
identity of a web user to be propagated to the EJBTM container.
> After logon, the security identity of the user is known, whether or not they are visiting
a protected resource.  Therefore the default is to use this identity in ejb calls, which for
us requires putting the authenticated subject in the ContextManager.
> Alan Cabrera has some doubts that this spec language actually requires us to implement
the default behavior stated here, and I agree that a strict reading does not seem to require
this, but IIUC we agree that we should implement this behavior anyway.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message