You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Gianny Damour (JIRA)" <de...@geronimo.apache.org> on 2005/08/01 04:09:36 UTC

[jira] Assigned: (GERONIMO-832) Calling isUserInRole from JSP not mapped to a Servlet

     [ http://issues.apache.org/jira/browse/GERONIMO-832?page=all ]

Gianny Damour reassigned GERONIMO-832:
--------------------------------------

    Assign To: Gianny Damour

> Calling isUserInRole from JSP not mapped to a Servlet
> -----------------------------------------------------
>
>          Key: GERONIMO-832
>          URL: http://issues.apache.org/jira/browse/GERONIMO-832
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M3, 1.0-M4
>     Reporter: Gianny Damour
>     Assignee: Gianny Damour
>     Priority: Minor

>
> Calling isUserInRole from a JSP not mapped to a servlet fails with Jetty as the servlet container.
> In the case of JSP not explicitly mapped in the web.xml DD, isUserInRole("<a role name>") triggers a validation of the following Permission: (javax.security.jacc.WebRoleRefPermission jsp <a role name>)
> The name "jsp" is sourced from the JettyServletHolder, which is automatically registered to handle the processing of *.jsp files.
> As pointed out by Jeff, it seems that the JACC specification mandates another behavior:
> * the name "jsp" should actually be an empty string; and
> * for each security role declared by the web.xml DD, a WebRoleRefPermission permission should be automatically added.  The name of this Permission should be an empty string and the action should be the role name.
> Excerpt of the JACC specification talking about this specific behavior:
> "
> B.19 Calling isUserInRole from JSP not mapped to a Servlet
> Checking a WebRoleRefPermission requires the name of a Servlet to identify the scope of the reference to role translation. The name of a scoping servlet has not been established for an unmapped JSP.
> Resolution? For every security role in the web application add a WebRoleRefPermission to the corresponding role. The name of all such permissions shall be the empty string, and the actions of each permission shall be the corresponding role name. When checking a WebRoleRefPermission from a JSP not mapped to a servlet, use a permission with the empty string as its name and with the argument to isUserInRole as its actions. This specification will require that containers implement this resolution when the Servlet Specification
> requires that containers test the caller for membership in the role named by the argument to isUserInRole when isUserInRole is called from an unmapped JSP.
> "

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira