You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Jarek Gawor (JIRA)" <ji...@apache.org> on 2007/11/02 07:05:51 UTC

[jira] Created: (GERONIMO-3581) Default security relam name in ContextManager

Default security relam name in ContextManager
---------------------------------------------

                 Key: GERONIMO-3581
                 URL: https://issues.apache.org/jira/browse/GERONIMO-3581
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security
    Affects Versions: 2.0.x, 2.1
            Reporter: Jarek Gawor


ContextManager.login() should use a default security realm name if user did not pass a security realm. Null security realm will cause an exception in LoginContext. Right now becuase of this issue, a standalone ejb client must set a custom property ("openejb.authentication.realmName") in order for authentication to succeed. 


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-3581) Default security relam name in ContextManager

Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/GERONIMO-3581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12559648#action_12559648 ] 

Jarek Gawor commented on GERONIMO-3581:
---------------------------------------

There are two (related) issues here.

1) Forgetting about OpenEJB for a moment, ContextManager.login()  creates LoginContext. And LoginContext will throw NPE if the security realm is null. So we could either add a null check to ContextManager.login() or pass a default security realm name. 

2) With OpenEJB, OpenEJB uses GeronimoSecurityService to login. That class has two login functions. First, the one without security realm parameter passes "OpenEJB" as a security realm. That security realm is not configured anywhere (as far as I can tell) and therefore if that method is called the authentication will always fail.  The second GeronimoSecurityService.login() function just calls ContextManager.login(). And it also does not perform null check of the security realm. I guess we could add the default security realm there but it won't address 1) if there is another path to ContextManager.login(). 



> Default security relam name in ContextManager
> ---------------------------------------------
>
>                 Key: GERONIMO-3581
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3581
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0.x, 2.1
>            Reporter: Jarek Gawor
>
> ContextManager.login() should use a default security realm name if user did not pass a security realm. Null security realm will cause an exception in LoginContext. Right now becuase of this issue, a standalone ejb client must set a custom property ("openejb.authentication.realmName") in order for authentication to succeed. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-3581) Default security relam name in ContextManager

Posted by "David Jencks (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/GERONIMO-3581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12557454#action_12557454 ] 

David Jencks commented on GERONIMO-3581:
----------------------------------------

I might have the code path wrong in my mind but I think I'd rather that openejb be configured with a default security realm name in case the client didn't send one.  However an NPE doesn't seem appropriate either.

> Default security relam name in ContextManager
> ---------------------------------------------
>
>                 Key: GERONIMO-3581
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3581
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0.x, 2.1
>            Reporter: Jarek Gawor
>
> ContextManager.login() should use a default security realm name if user did not pass a security realm. Null security realm will cause an exception in LoginContext. Right now becuase of this issue, a standalone ejb client must set a custom property ("openejb.authentication.realmName") in order for authentication to succeed. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.