geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Created: (GERONIMO-3154) Web authorization should only use jacc calls
Date Fri, 11 May 2007 21:52:15 GMT
Web authorization should only use jacc calls

                 Key: GERONIMO-3154
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: web
    Affects Versions: 2.0-M6
            Reporter: David Jencks
         Assigned To: David Jencks
             Fix For: 2.0-M6

At Javaone I had a chat with Ron Monzillo who pointed out to me how to use only the mandated
jacc permission checks to decide whether a request should be denied, allowed, or redirected
for login.  We need to change the jetty and tomcat security stuff to do this.

Sequence of steps I think should work:

1. check UDP.  Any excluded page will be denied here.  Also, if you have the wrong connection
security you'll get denied.  I think this is correct.

2. If the user is logged in, install their subject in the security system.  If not, install
the default subject.

3. check the WRP. If passed, continue.

4. if denied, and the user is logged in, deny

4.b. if denied and the user is not logged in, redirect.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message