geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Closed: (GERONIMO-3154) Web authorization should only use jacc calls
Date Tue, 12 Jun 2007 00:48:25 GMT


David Jencks closed GERONIMO-3154.

       Resolution: Fixed
    Fix Version/s:     (was: 2.0-M6)

Tomcat was already only using the official jacc calls, but there was some cruft to clean up
in rev 546336.

> Web authorization should only use jacc calls
> --------------------------------------------
>                 Key: GERONIMO-3154
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web
>    Affects Versions: 2.0-M6
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.0-M7
> At Javaone I had a chat with Ron Monzillo who pointed out to me how to use only the mandated
jacc permission checks to decide whether a request should be denied, allowed, or redirected
for login.  We need to change the jetty and tomcat security stuff to do this.
> Sequence of steps I think should work:
> 1. check UDP.  Any excluded page will be denied here.  Also, if you have the wrong connection
security you'll get denied.  I think this is correct.
> 2. If the user is logged in, install their subject in the security system.  If not, install
the default subject.
> 3. check the WRP. If passed, continue.
> 4. if denied, and the user is logged in, deny
> 4.b. if denied and the user is not logged in, redirect.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message