geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Updated: (GERONIMO-1440) JAASJettyRealm not shared enough
Date Mon, 05 Jun 2006 05:20:31 GMT
     [ ]

David Jencks updated GERONIMO-1440:

    Fix Version: 1.1

This was merged into 1.1 in rev 407589

> JAASJettyRealm not shared enough
> --------------------------------
>          Key: GERONIMO-1440
>          URL:
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: web
>     Versions: 1.0
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1, 1.2

> There are a bunch of problems that lead back to missing JAASJettyRealms or multiple "equal"
> A JAASJettyRealm has an (external) realm name from the web.xml and an internal geronimo
realm name and a map of user name to principal (which includes the Subject for that user)
for logged in users.  If you supply a (internal) security realm name, a JAASJettyRealm is
registered with the HTTPContext and used for authentication, reauthentication, etc.  If you
don't supply a security realm name, but there is a realm name, then jetty tries to get the
realm from the JettyServer.  Here are some problems:
> 1. we never register our JAASJettyRealms with JettyServer, so if you don't supply a security
realm name you eventually get NPEs if the app calls isUserInRole etc etc.
> lets assume we fix (1)
> 2. If you have 2 apps  A and B deployed with the same external realm name and internal
realm name, only the last to start is registered with  the JettyServer.  Any other app C using
the same realm name but no internal realm name will get the second realm.  If we did a x-context
dispatch from the first app A to C C will be using the realm from B.
> I think that there should only be one JAASJettyRealm per external realm name, based on
servlet spec 2.4 section 12.6.  If you disagree, please say why :-).

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message