You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Luis Fernando Planella Gonzalez (JIRA)" <ji...@apache.org> on 2009/01/05 13:13:44 UTC
[jira] Created: (OPENEJB-984) TomcatSecurityService and
unauthenticated user roles
TomcatSecurityService and unauthenticated user roles
----------------------------------------------------
Key: OPENEJB-984
URL: https://issues.apache.org/jira/browse/OPENEJB-984
Project: OpenEJB
Issue Type: Improvement
Components: tomcat
Affects Versions: 3.1
Environment: Linux x86_64, Java 6
Reporter: Luis Fernando Planella Gonzalez
Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with the same name as the principal name), and only interprets principals with it's own inner classes: TomcatUser and RunAsRole.
Since the default user is not of either classes, it yields an empty set of roles.
I see 2 possible solutions:
* Add a way to customize which role should be granted to an unauthenticated user
* Delegate to the default AbstractSecurityService when no roles are granted, like:
public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
// current implementation
if (roles.isEmpty()) {
return super.getLogicalRoles(principals, logicalRoles);
}
}
See http://www.nabble.com/Unauthenticated-principal-td21012809.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OPENEJB-984) TomcatSecurityService and
unauthenticated user roles
Posted by "Luis Fernando Planella Gonzalez (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OPENEJB-984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12660732#action_12660732 ]
Luis Fernando Planella Gonzalez commented on OPENEJB-984:
---------------------------------------------------------
A possible workaround:
To make the unauthenticated user have the "public" role, create a custom tomcat Realm, doing this:
public class RoleResolverRealm extends ValveBase {
private static boolean initialized;
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
if (!initialized) {
SystemInstance systemInstance = SystemInstance.get();
final RoleResolver defaultResolver = (RoleResolver) systemInstance.getComponent(SecurityService.class);
systemInstance.setComponent(RoleResolver.class, new RoleResolver() {
@Override
public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
Set<String> roles = defaultResolver.getLogicalRoles(principals, logicalRoles);
if (roles == null || roles.isEmpty()) {
roles.add("public");
}
return roles;
}
});
initialized = true;
}
}
}
Then, declare it on META-INF/context.xml:
<Context>
<Valve className="RoleResolverRealm" />
</Context>
> TomcatSecurityService and unauthenticated user roles
> ----------------------------------------------------
>
> Key: OPENEJB-984
> URL: https://issues.apache.org/jira/browse/OPENEJB-984
> Project: OpenEJB
> Issue Type: Improvement
> Components: tomcat
> Affects Versions: 3.1
> Environment: Linux x86_64, Java 6
> Reporter: Luis Fernando Planella Gonzalez
>
> Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
> It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with the same name as the principal name), and only interprets principals with it's own inner classes: TomcatUser and RunAsRole.
> Since the default user is not of either classes, it yields an empty set of roles.
> I see 2 possible solutions:
> * Add a way to customize which role should be granted to an unauthenticated user
> * Delegate to the default AbstractSecurityService when no roles are granted, like:
> public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
> // current implementation
> if (roles.isEmpty()) {
> return super.getLogicalRoles(principals, logicalRoles);
> }
> }
> See http://www.nabble.com/Unauthenticated-principal-td21012809.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OPENEJB-984) TomcatSecurityService and
unauthenticated user roles
Posted by "Jean-Louis MONTEIRO (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OPENEJB-984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Louis MONTEIRO closed OPENEJB-984.
---------------------------------------
Resolution: Duplicate
Assignee: Jean-Louis MONTEIRO
Same as OPENEJB-1120
> TomcatSecurityService and unauthenticated user roles
> ----------------------------------------------------
>
> Key: OPENEJB-984
> URL: https://issues.apache.org/jira/browse/OPENEJB-984
> Project: OpenEJB
> Issue Type: Improvement
> Components: tomcat
> Affects Versions: 3.1
> Environment: Linux x86_64, Java 6
> Reporter: Luis Fernando Planella Gonzalez
> Assignee: Jean-Louis MONTEIRO
>
> Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
> It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with the same name as the principal name), and only interprets principals with it's own inner classes: TomcatUser and RunAsRole.
> Since the default user is not of either classes, it yields an empty set of roles.
> I see 2 possible solutions:
> * Add a way to customize which role should be granted to an unauthenticated user
> * Delegate to the default AbstractSecurityService when no roles are granted, like:
> public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
> // current implementation
> if (roles.isEmpty()) {
> return super.getLogicalRoles(principals, logicalRoles);
> }
> }
> See http://www.nabble.com/Unauthenticated-principal-td21012809.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.