tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luis Fernando Planella Gonzalez (JIRA)" <j...@apache.org>
Subject [jira] Created: (OPENEJB-984) TomcatSecurityService and unauthenticated user roles
Date Mon, 05 Jan 2009 12:13:44 GMT
TomcatSecurityService and unauthenticated user roles
----------------------------------------------------

                 Key: OPENEJB-984
                 URL: https://issues.apache.org/jira/browse/OPENEJB-984
             Project: OpenEJB
          Issue Type: Improvement
          Components: tomcat
    Affects Versions: 3.1
         Environment: Linux x86_64, Java 6
            Reporter: Luis Fernando Planella Gonzalez


Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with
the same name as the principal name), and only interprets principals with it's own inner classes:
TomcatUser and RunAsRole. 
Since the default user is not of either classes, it yields an empty set of roles.

I see 2 possible solutions:
* Add a way to customize which role should be granted to an unauthenticated user
* Delegate to the default AbstractSecurityService when no roles are granted, like:

public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles)
{
    // current implementation
    if (roles.isEmpty()) {
        return super.getLogicalRoles(principals, logicalRoles);
    }
}

See http://www.nabble.com/Unauthenticated-principal-td21012809.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message