Return-Path: 
 <scm-return-16932-apmail-geronimo-scm-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-scm-archive@www.apache.org
Received: (qmail 90544 invoked from network); 8 Jan 2007 13:26:19 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 8 Jan 2007 13:26:19 -0000
Received: (qmail 25299 invoked by uid 500); 8 Jan 2007 13:26:26 -0000
Delivered-To: apmail-geronimo-scm-archive@geronimo.apache.org
Received: (qmail 25276 invoked by uid 500); 8 Jan 2007 13:26:25 -0000
Mailing-List: contact scm-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:scm-help@geronimo.apache.org>
list-unsubscribe: <mailto:scm-unsubscribe@geronimo.apache.org>
List-Post: <mailto:scm@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <scm.geronimo.apache.org>
Delivered-To: mailing list scm@geronimo.apache.org
Received: (qmail 25265 invoked by uid 99); 8 Jan 2007 13:26:25 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jan 2007 05:26:25 -0800
X-ASF-Spam-Status: No, hits=-9.4 required=10.0
	tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jan 2007 05:26:18 -0800
Received: by eris.apache.org (Postfix, from userid 65534)
	id 6074C1A981D; Mon,  8 Jan 2007 05:25:19 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r494061 - in
 /geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat:
 GeronimoStandardContext.java interceptor/PolicyContextBeforeAfter.java
 realm/TomcatGeronimoRealm.java
Date: Mon, 08 Jan 2007 13:25:19 -0000
To: scm@geronimo.apache.org
From: vamsic007@apache.org
X-Mailer: svnmailer-1.1.0
Message-Id: <20070108132519.6074C1A981D@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: vamsic007
Date: Mon Jan  8 05:25:18 2007
New Revision: 494061

URL: http://svn.apache.org/viewvc?view=rev&rev=494061
Log:
GERONIMO-2695 Requests using Non-secure HTTP connections cannot access unsecured web resources
  o Back porting the fix committed by Jeff in rev 493193
  o Use default principal when no authentication has occurred

Modified:
    geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
    geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java
    geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java

Modified: geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java?view=diff&rev=494061&r1=494060&r2=494061
==============================================================================
--- geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java (original)
+++ geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java Mon Jan  8 05:25:18 2007
@@ -42,6 +42,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.geronimo.common.DeploymentException;
+import org.apache.geronimo.common.GeronimoSecurityException;
 import org.apache.geronimo.naming.enc.EnterpriseNamingContext;
 import org.apache.geronimo.naming.reference.ClassLoaderAwareReference;
 import org.apache.geronimo.naming.reference.KernelAwareReference;
@@ -64,6 +65,9 @@
 import org.apache.geronimo.webservices.WebServiceContainerInvoker;
 
 
+/**
+ * @version $Rev$ $Date$
+ */
 public class GeronimoStandardContext extends StandardContext {
 
     private static final Log log = LogFactory.getLog(GeronimoStandardContext.class);
@@ -134,14 +138,15 @@
                  * Register our default subject with the ContextManager
                  */
                 DefaultPrincipal defaultPrincipal = securityHolder.getDefaultPrincipal();
-                if (defaultPrincipal != null) {
-                    defaultSubject = ConfigurationUtil.generateDefaultSubject(defaultPrincipal, ctx.getClassLoader());
-                    ContextManager.registerSubject(defaultSubject);
-                    SubjectId id = ContextManager.getSubjectId(defaultSubject);
-                    defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
+                if (defaultPrincipal == null) {
+                    throw new GeronimoSecurityException("Unable to generate default principal");
                 }
+                defaultSubject = ConfigurationUtil.generateDefaultSubject(defaultPrincipal, ctx.getClassLoader());
+                ContextManager.registerSubject(defaultSubject);
+                SubjectId id = ContextManager.getSubjectId(defaultSubject);
+                defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
 
-                interceptor = new PolicyContextBeforeAfter(interceptor, index++, index++, securityHolder.getPolicyContextID());
+                interceptor = new PolicyContextBeforeAfter(interceptor, index++, index++, index++, securityHolder.getPolicyContextID(), defaultSubject);
             }
         }
         

Modified: geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java?view=diff&rev=494061&r1=494060&r2=494061
==============================================================================
--- geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java (original)
+++ geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java Mon Jan  8 05:25:18 2007
@@ -17,24 +17,34 @@
 package org.apache.geronimo.tomcat.interceptor;
 
 import javax.security.jacc.PolicyContext;
+import javax.security.auth.Subject;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 
 import org.apache.geronimo.security.Callers;
 import org.apache.geronimo.security.ContextManager;
 
+/**
+ * @version $Rev$ $Date$
+ */
 public class PolicyContextBeforeAfter implements BeforeAfter{
 
+    public static final String DEFAULT_SUBJECT = "~DEFAULT_SUBJECT";
+
     private final BeforeAfter next;
     private final String policyContextID;
     private final int policyContextIDIndex;
     private final int callersIndex;
+    private final int defaultSubjectIndex;
+    private final Subject defaultSubject;
 
-    public PolicyContextBeforeAfter(BeforeAfter next, int policyContextIDIndex, int callersIndex, String policyContextID) {
+    public PolicyContextBeforeAfter(BeforeAfter next, int policyContextIDIndex, int callersIndex, int defaultSubjectIndex, String policyContextID, Subject defaultSubject) {
         this.next = next;
         this.policyContextIDIndex = policyContextIDIndex;
         this.callersIndex = callersIndex;
+        this.defaultSubjectIndex = defaultSubjectIndex;
         this.policyContextID = policyContextID;
+        this.defaultSubject = defaultSubject;
     }
 
     public void before(Object[] context, ServletRequest httpRequest, ServletResponse httpResponse) {
@@ -47,6 +57,10 @@
         //Set the new
         PolicyContext.setContextID(policyContextID);
         PolicyContext.setHandlerData(httpRequest);
+        if (httpRequest != null){
+            httpRequest.setAttribute(DEFAULT_SUBJECT, defaultSubject);
+            context[defaultSubjectIndex] = httpRequest.getAttribute(DEFAULT_SUBJECT);
+        }
 
         if (next != null) {
             next.before(context, httpRequest, httpResponse);
@@ -61,6 +75,8 @@
         //Replace the old
         PolicyContext.setContextID((String)context[policyContextIDIndex]);
         ContextManager.popCallers((Callers) context[callersIndex]);
+        if (httpRequest != null)
+            httpRequest.setAttribute(DEFAULT_SUBJECT, context[defaultSubjectIndex]);
     }
 
 }

Modified: geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java?view=diff&rev=494061&r1=494060&r2=494061
==============================================================================
--- geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java (original)
+++ geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java Mon Jan  8 05:25:18 2007
@@ -31,6 +31,7 @@
 import org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler;
 import org.apache.geronimo.security.realm.providers.PasswordCallbackHandler;
 import org.apache.geronimo.tomcat.JAASTomcatPrincipal;
+import org.apache.geronimo.tomcat.interceptor.PolicyContextBeforeAfter;
 
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
@@ -53,6 +54,9 @@
 import java.security.cert.X509Certificate;
 
 
+/**
+ * @version $Rev$ $Date$
+ */
 public class TomcatGeronimoRealm extends JAASRealm {
 
     private static final Log log = LogFactory.getLog(TomcatGeronimoRealm.class);
@@ -182,7 +186,8 @@
 
         //If we have no principal, then we should use the default.
         if (principal == null) {
-            return request.isSecure();
+            Subject defaultSubject = (Subject)request.getAttribute(PolicyContextBeforeAfter.DEFAULT_SUBJECT);
+            ContextManager.setCallers(defaultSubject, defaultSubject);
 
         } else {
             Subject currentCaller = ((JAASTomcatPrincipal) principal).getSubject();