tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Authentication without Authorization ( JNDI Realm )
Date Thu, 03 Dec 2009 02:01:06 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

On 12/2/2009 5:15 PM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Subject: Re: Authentication without Authorization ( JNDI Realm )
>>
>> Technically speaking, this will require authentication but then let
>> anyone holding any role defined in web.xml to access any page on your
>> site.
> 
> But the valid roles still have to be listed in web.xml to be compliant with the spec.

Yes. That's why I said "technically" and "practically".

>> Practically speaking, you don't even need to define the roles in
>> web.xml because (last time I checked), Tomcat treats '*' as
>> "authenticated, regardless of roles".
> 
> That was a bug, now fixed:
> http://marc.info/?l=tomcat-user&m=123568422715010&w=2

I'll have to look elsewhere in the code, then. What I saw in
GenericPrincipal clearly takes, ahem, liberties with the spec.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksXG+IACgkQ9CaO5/Lv0PCCnQCgw/WeI9uAHgpzjtiyg48gJC2B
TIgAn1mNkpYD8mkdc9YFEtrjZ8UcpKN3
=VQ5N
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message