You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Jean-Louis MONTEIRO (JIRA)" <ji...@apache.org> on 2009/12/23 13:10:29 UTC
[jira] Closed: (OPENEJB-984) TomcatSecurityService and
unauthenticated user roles
[ https://issues.apache.org/jira/browse/OPENEJB-984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Louis MONTEIRO closed OPENEJB-984.
---------------------------------------
Resolution: Duplicate
Assignee: Jean-Louis MONTEIRO
Same as OPENEJB-1120
> TomcatSecurityService and unauthenticated user roles
> ----------------------------------------------------
>
> Key: OPENEJB-984
> URL: https://issues.apache.org/jira/browse/OPENEJB-984
> Project: OpenEJB
> Issue Type: Improvement
> Components: tomcat
> Affects Versions: 3.1
> Environment: Linux x86_64, Java 6
> Reporter: Luis Fernando Planella Gonzalez
> Assignee: Jean-Louis MONTEIRO
>
> Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
> It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with the same name as the principal name), and only interprets principals with it's own inner classes: TomcatUser and RunAsRole.
> Since the default user is not of either classes, it yields an empty set of roles.
> I see 2 possible solutions:
> * Add a way to customize which role should be granted to an unauthenticated user
> * Delegate to the default AbstractSecurityService when no roles are granted, like:
> public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
> // current implementation
> if (roles.isEmpty()) {
> return super.getLogicalRoles(principals, logicalRoles);
> }
> }
> See http://www.nabble.com/Unauthenticated-principal-td21012809.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.