You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <de...@geronimo.apache.org> on 2006/06/08 22:17:30 UTC

[jira] Closed: (GERONIMO-1425) access to unprotected web resource after login does not use correct Subject

     [ http://issues.apache.org/jira/browse/GERONIMO-1425?page=all ]
     
David Jencks closed GERONIMO-1425:
----------------------------------

    Fix Version: 1.1
                 1.2
                     (was: Verification Required)
     Resolution: Fixed

Merged from dead-1.2 into 1.1/1.2 branches 

> access to unprotected web resource after login does not use correct Subject
> ---------------------------------------------------------------------------
>
>          Key: GERONIMO-1425
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1425
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: Tomcat, web
>     Versions: 1.2
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1, 1.2

>
> This applies to both jetty and tomcat.
> Currently we are installing the correct authenticated Subject in ContextManager only when you access a protected resource.  For any access to unprotected resources, even after logon, we are installing the default Subject in the ContextManager.  This appears to violate this from servlet spec 2.4 12.7:
> A security identity, or principal, must always be provided for use in a call to an enterprise bean. The default mode in calls to enterprise beans from web applications is for the security identity of a web user to be propagated to the EJBTM container.
> After logon, the security identity of the user is known, whether or not they are visiting a protected resource.  Therefore the default is to use this identity in ejb calls, which for us requires putting the authenticated subject in the ContextManager.
> Alan Cabrera has some doubts that this spec language actually requires us to implement the default behavior stated here, and I agree that a strict reading does not seem to require this, but IIUC we agree that we should implement this behavior anyway.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira