geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Commented: (GERONIMO-4124) Tomcat jacc usage is messed up
Date Sat, 21 Jun 2008 17:47:45 GMT


David Jencks commented on GERONIMO-4124:

work done on this issue in code:
trunk rev. 670236
Improved run-as tests in testsuite
trunk rev. 670237

The behavior in the tests agrees between jetty and tomcat but I don't think it's right.  With
this scenario:
user logs in in role foo
Servlet1 configured with run-as role baz
forwards to servlet2 with no run-as role
calls ejb
the ejb sees only role foo.  In other words forwarding to servlet 2 has erased the run-as
information from servlet 1.

In addition there's a questionable case:
in the above scenario, should servlet 2 see foo or baz?  Currently it sees foo.


(1) is fixed; we install either the actual or default subject before checking WebUserDataPermissions
and never call the non-jacc tomcat code
(2) is invalid, the Subject comes directly from ContextManager
(3) seems to be the only way to get form auth to work.  I think it's causing the behavior
I think is wrong noted above.  

> Tomcat jacc usage is messed up
> ------------------------------
>                 Key: GERONIMO-4124
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Tomcat
>    Affects Versions: 2.0.2, 2.1.1, 2.2
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.0.x, 2.1.2, 2.2
> Several problems:
> 1. UserDataPermissions are not getting evaluated by jacc due to the check for Subject
in handler data.
> 2. Subject is never set into handler data (also  a problem in jetty, dunno about openejb).
> 3. TomcatGeronimoRealm is calling ContextManager.setCallers before permission checks.
 This is wrong.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message