geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Closed: (GERONIMO-3073) More security bugs in openejb integration
Date Tue, 12 Jun 2007 00:54:25 GMT


David Jencks closed GERONIMO-3073.

       Resolution: Fixed
    Fix Version/s:     (was: 2.0-M5)

Openejb security is working OK.  If we decide to change how "remote login" is  working that
deserves it's own jira.

> More security bugs in openejb integration
> -----------------------------------------
>                 Key: GERONIMO-3073
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: OpenEJB
>    Affects Versions: 2.0-M5
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.0-M6
> - GeronimoIdentityResolver should get the subject from the ContextManager, not Subject.getSubject,
since it's possible to do a login programatically without a CallbackHandler and skip the Subject.doAs(),
and furthermore at least in 1.4 jvms the subject from Subject.getSubject tends to disappear
after a while.
> - Most likely we need to map the "business home" and local home methods to "unchecked"
so that injection can work if the default principal is not authorized for everything.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message