You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Luis Fernando Planella Gonzalez (JIRA)" <ji...@apache.org> on 2009/01/05 13:17:44 UTC

[jira] Commented: (OPENEJB-984) TomcatSecurityService and unauthenticated user roles

    [ https://issues.apache.org/jira/browse/OPENEJB-984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12660732#action_12660732 ] 

Luis Fernando Planella Gonzalez commented on OPENEJB-984:
---------------------------------------------------------

A possible workaround:
To make the unauthenticated user have the "public" role, create a custom tomcat Realm, doing this:

public class RoleResolverRealm extends ValveBase {

    private static boolean initialized;

    @Override
    public void invoke(Request request, Response response) throws IOException, ServletException {
       
        if (!initialized) {
            SystemInstance systemInstance = SystemInstance.get();
            final RoleResolver defaultResolver = (RoleResolver) systemInstance.getComponent(SecurityService.class);
            systemInstance.setComponent(RoleResolver.class, new RoleResolver() {
                @Override
                public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
                    Set<String> roles = defaultResolver.getLogicalRoles(principals, logicalRoles);
                    if (roles == null || roles.isEmpty()) {
                        roles.add("public");
                    }
                    return roles;
                }
            });
            initialized = true;
        }
    }
}

Then, declare it on META-INF/context.xml:
<Context>
    <Valve className="RoleResolverRealm" />
</Context>

> TomcatSecurityService and unauthenticated user roles
> ----------------------------------------------------
>
>                 Key: OPENEJB-984
>                 URL: https://issues.apache.org/jira/browse/OPENEJB-984
>             Project: OpenEJB
>          Issue Type: Improvement
>          Components: tomcat
>    Affects Versions: 3.1
>         Environment: Linux x86_64, Java 6
>            Reporter: Luis Fernando Planella Gonzalez
>
> Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
> It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with the same name as the principal name), and only interprets principals with it's own inner classes: TomcatUser and RunAsRole. 
> Since the default user is not of either classes, it yields an empty set of roles.
> I see 2 possible solutions:
> * Add a way to customize which role should be granted to an unauthenticated user
> * Delegate to the default AbstractSecurityService when no roles are granted, like:
> public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
>     // current implementation
>     if (roles.isEmpty()) {
>         return super.getLogicalRoles(principals, logicalRoles);
>     }
> }
> See http://www.nabble.com/Unauthenticated-principal-td21012809.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.