You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomee.apache.org by Luis Fernando Planella Gonzalez <lf...@gmail.com> on 2009/12/16 18:40:17 UTC

Patching TomcatSecurityService to return the guest role when nobody is logged in

TomcatSecurityService overrides SecurityService's getLogicalRoles() method to handle his known principal types: TomcatUser and RunAsRole.
However, it ignores other principals. The default behavior of SecurityService is to grant roles when the principal name matches the logical role name.]
In practice, this will allow TomcatSecurityService to grant the "guest" role when no user is logged in.

I've created https://issues.apache.org/jira/browse/OPENEJB-1120 with a patch to fix it.

There is also an old thread where I had already discussed this subject with David: http://old.nabble.com/Unauthenticated-principal-td21012809.html
However, here I've applied the sentence: "enough talking, show me the code" ;)

Luis Fernando Planella Gonzalez

Re: Patching TomcatSecurityService to return the guest role when nobody is logged in

Posted by Luis Fernando Planella Gonzalez <lf...@gmail.com>.

Hi Jean.
Yes, it's almost the same thing.
First sorry, I didn't remember I had already created an issue before.
In the first issue (984) I had posted the workaround I'm using until the proper fix is done.
The second one (1120) contains the patch to fix.
There is however a minor thing: In our system, we've named the "guest" role as "public", so in the workaround the "public" role is being granted.
With the patch in 1120, the role name will always be "guest" (I can search / replace in our code, no problem).
David even mentioned that it would be possible to add a configuration in the SecurityService to change that name, but it's not really necessary for me.
Again, sorry. You may close the first one as duplicate if you want...

Luis Fernando Planella Gonzalez

Em Quarta-feira 23 Dezembro 2009, às 08:05:43, Jean-Louis MONTEIRO escreveu:
> 
> Hi Luis,
> 
> I've noticed to related issues:
> https://issues.apache.org/jira/browse/OPENEJB-984
> https://issues.apache.org/jira/browse/OPENEJB-984 
> https://issues.apache.org/jira/browse/OPENEJB-1120
> https://issues.apache.org/jira/browse/OPENEJB-1120 
> 
> It seems to me, the fix is the same.
> Is that right?
> Did i misunderstand something?
> 
> Jean-Louis
> 
> 
> 
> Luis F. Planella Gonzalez wrote:
> > 
> > TomcatSecurityService overrides SecurityService's getLogicalRoles() method
> > to handle his known principal types: TomcatUser and RunAsRole.
> > However, it ignores other principals. The default behavior of
> > SecurityService is to grant roles when the principal name matches the
> > logical role name.]
> > In practice, this will allow TomcatSecurityService to grant the "guest"
> > role when no user is logged in.
> > 
> > I've created https://issues.apache.org/jira/browse/OPENEJB-1120 with a
> > patch to fix it.
> > 
> > There is also an old thread where I had already discussed this subject
> > with David:
> > http://old.nabble.com/Unauthenticated-principal-td21012809.html
> > However, here I've applied the sentence: "enough talking, show me the
> > code" ;)
> > 
> > Luis Fernando Planella Gonzalez
> > 
> > 
> 
>

Re: Patching TomcatSecurityService to return the guest role when nobody is logged in

Posted by Jean-Louis MONTEIRO <je...@atosorigin.com>.

Hi Luis,

I've noticed to related issues:
https://issues.apache.org/jira/browse/OPENEJB-984
https://issues.apache.org/jira/browse/OPENEJB-984 
https://issues.apache.org/jira/browse/OPENEJB-1120
https://issues.apache.org/jira/browse/OPENEJB-1120 

It seems to me, the fix is the same.
Is that right?
Did i misunderstand something?

Jean-Louis



Luis F. Planella Gonzalez wrote:
> 
> TomcatSecurityService overrides SecurityService's getLogicalRoles() method
> to handle his known principal types: TomcatUser and RunAsRole.
> However, it ignores other principals. The default behavior of
> SecurityService is to grant roles when the principal name matches the
> logical role name.]
> In practice, this will allow TomcatSecurityService to grant the "guest"
> role when no user is logged in.
> 
> I've created https://issues.apache.org/jira/browse/OPENEJB-1120 with a
> patch to fix it.
> 
> There is also an old thread where I had already discussed this subject
> with David:
> http://old.nabble.com/Unauthenticated-principal-td21012809.html
> However, here I've applied the sentence: "enough talking, show me the
> code" ;)
> 
> Luis Fernando Planella Gonzalez
> 
> 

-- 
View this message in context: http://old.nabble.com/Patching-TomcatSecurityService-to-return-the-guest-role-when-nobody-is-logged-in-tp26815302p26897649.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.