You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2008/06/21 19:47:45 UTC

[jira] Commented: (GERONIMO-4124) Tomcat jacc usage is messed up

    [ https://issues.apache.org/jira/browse/GERONIMO-4124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12607023#action_12607023 ] 

David Jencks commented on GERONIMO-4124:
----------------------------------------

work done on this issue in code:
trunk rev. 670236
Improved run-as tests in testsuite
trunk rev. 670237

The behavior in the tests agrees between jetty and tomcat but I don't think it's right.  With this scenario:
user logs in in role foo
Servlet1 configured with run-as role baz
forwards to servlet2 with no run-as role
calls ejb
the ejb sees only role foo.  In other words forwarding to servlet 2 has erased the run-as information from servlet 1.

In addition there's a questionable case:
in the above scenario, should servlet 2 see foo or baz?  Currently it sees foo.

-------------------------------------------------

(1) is fixed; we install either the actual or default subject before checking WebUserDataPermissions and never call the non-jacc tomcat code
(2) is invalid, the Subject comes directly from ContextManager
(3) seems to be the only way to get form auth to work.  I think it's causing the behavior I think is wrong noted above.  

> Tomcat jacc usage is messed up
> ------------------------------
>
>                 Key: GERONIMO-4124
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4124
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Tomcat
>    Affects Versions: 2.0.2, 2.1.1, 2.2
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.0.x, 2.1.2, 2.2
>
>
> Several problems:
> 1. UserDataPermissions are not getting evaluated by jacc due to the check for Subject in handler data.
> 2. Subject is never set into handler data (also  a problem in jetty, dunno about openejb).
> 3. TomcatGeronimoRealm is calling ContextManager.setCallers before permission checks.  This is wrong.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.