You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <de...@geronimo.apache.org> on 2006/06/08 22:17:30 UTC
[jira] Closed: (GERONIMO-1425) access to unprotected web resource
after login does not use correct Subject
[ http://issues.apache.org/jira/browse/GERONIMO-1425?page=all ]
David Jencks closed GERONIMO-1425:
----------------------------------
Fix Version: 1.1
1.2
(was: Verification Required)
Resolution: Fixed
Merged from dead-1.2 into 1.1/1.2 branches
> access to unprotected web resource after login does not use correct Subject
> ---------------------------------------------------------------------------
>
> Key: GERONIMO-1425
> URL: http://issues.apache.org/jira/browse/GERONIMO-1425
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: Tomcat, web
> Versions: 1.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 1.1, 1.2
>
> This applies to both jetty and tomcat.
> Currently we are installing the correct authenticated Subject in ContextManager only when you access a protected resource. For any access to unprotected resources, even after logon, we are installing the default Subject in the ContextManager. This appears to violate this from servlet spec 2.4 12.7:
> A security identity, or principal, must always be provided for use in a call to an enterprise bean. The default mode in calls to enterprise beans from web applications is for the security identity of a web user to be propagated to the EJBTM container.
> After logon, the security identity of the user is known, whether or not they are visiting a protected resource. Therefore the default is to use this identity in ejb calls, which for us requires putting the authenticated subject in the ContextManager.
> Alan Cabrera has some doubts that this spec language actually requires us to implement the default behavior stated here, and I agree that a strict reading does not seem to require this, but IIUC we agree that we should implement this behavior anyway.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira