You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <de...@geronimo.apache.org> on 2005/09/15 04:45:54 UTC

[jira] Commented: (GERONIMO-1012) Tomcat integration does not set a subject in an unsecured web module in a secured ejb application

    [ http://issues.apache.org/jira/browse/GERONIMO-1012?page=comments#action_12329378 ] 

David Jencks commented on GERONIMO-1012:
----------------------------------------

I've fixed this for web apps that have no security constraints but are part of a secured j2ee application.  I don't see how to fix it for unsecured pages on web apps with constraints: it appears we'd have to rewrite/copy/modify the authentication valves.  I'm leaving this open in the hopes someone can find a better solution.

Sending        modules/tomcat/project.xml
Sending        modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
Adding         modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/DefaultSubjectValve.java
Sending        modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java
Transmitting file data ....
Committed revision 289136.

> Tomcat integration does not set a subject in an unsecured web module in a secured ejb application
> -------------------------------------------------------------------------------------------------
>
>          Key: GERONIMO-1012
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1012
>      Project: Geronimo
>         Type: Bug
>   Components: Tomcat
>     Versions: 1.0-M5
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.0-M5

>
> In the jetty integration, in SecurityContextBeforeAfter, a request for an unsecured page results in the default subject being set in the ContextManager (line 288).  This provides a way to call secured ejbs and also provides a source for credentials for calling secured web services.
> In tomcat, we don't do anything like that: in particular there is no source of credentials for secured web services.  
> I think the simplest solution is to, if the app is secured, to add another valve after the standard tomcat security valve, that sets the default subject into the ContextManager if none is there already.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira