geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-3154) Web authorization should only use jacc calls
Date Tue, 15 May 2007 22:36:16 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12496155
] 

David Jencks commented on GERONIMO-3154:
----------------------------------------

This should be fixed in rev 538344 for jetty.  This requires JETTY-340 to be resolved to avoid
some NPEs.

> Web authorization should only use jacc calls
> --------------------------------------------
>
>                 Key: GERONIMO-3154
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3154
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web
>    Affects Versions: 2.0-M6
>            Reporter: David Jencks
>         Assigned To: David Jencks
>             Fix For: 2.0-M6
>
>
> At Javaone I had a chat with Ron Monzillo who pointed out to me how to use only the mandated
jacc permission checks to decide whether a request should be denied, allowed, or redirected
for login.  We need to change the jetty and tomcat security stuff to do this.
> Sequence of steps I think should work:
> 1. check UDP.  Any excluded page will be denied here.  Also, if you have the wrong connection
security you'll get denied.  I think this is correct.
> 2. If the user is logged in, install their subject in the security system.  If not, install
the default subject.
> 3. check the WRP. If passed, continue.
> 4. if denied, and the user is logged in, deny
> 4.b. if denied and the user is not logged in, redirect.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message