You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Romain Manni-Bucau (JIRA)" <ji...@apache.org> on 2016/06/28 11:51:57 UTC

[jira] [Resolved] (TOMEE-1492) LazyRealm not working well in CombinedRealm (LockOutRealm)

     [ https://issues.apache.org/jira/browse/TOMEE-1492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Romain Manni-Bucau resolved TOMEE-1492.
---------------------------------------
    Resolution: Not A Problem

Summer cleanup

> LazyRealm not working well in CombinedRealm (LockOutRealm)
> ----------------------------------------------------------
>
>                 Key: TOMEE-1492
>                 URL: https://issues.apache.org/jira/browse/TOMEE-1492
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 1.7.1
>            Reporter: Ryan McGuinness
>              Labels: Security
>
> The following LazyRealm definition works as expected in TomEE, delegating to the authenticate(String, String) and hasRole(Principal, String) of the realmClass.
> <Context>
>     <Realm
>             cdi="true"
>             className="org.apache.tomee.catalina.realm.LazyRealm"
>             realmClass="example.security.RecipeBookRealm" />
> </Context>
> When wrapped in a combined realm:
> <Context>
>     <Realm className="org.apache.catalina.realm.LockOutRealm">
>         <Realm
>                 cdi="true"
>                 className="org.apache.tomee.catalina.realm.LazyRealm"
>                 realmClass="example.security.RecipeBookRealm"/>
>     </Realm>
> </Context>
> The authenticate method is delegated to correctly, but the hasRole(Principal, String) method IS NOT.
> Thus when wrapped failure occurs in the annotations for @RolesAllowed() or and security assertions made in the web.xml.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)