You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2007/05/11 23:52:15 UTC

[jira] Created: (GERONIMO-3154) Web authorization should only use jacc calls

Web authorization should only use jacc calls
--------------------------------------------

                 Key: GERONIMO-3154
                 URL: https://issues.apache.org/jira/browse/GERONIMO-3154
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: web
    Affects Versions: 2.0-M6
            Reporter: David Jencks
         Assigned To: David Jencks
             Fix For: 2.0-M6


At Javaone I had a chat with Ron Monzillo who pointed out to me how to use only the mandated jacc permission checks to decide whether a request should be denied, allowed, or redirected for login.  We need to change the jetty and tomcat security stuff to do this.

Sequence of steps I think should work:

1. check UDP.  Any excluded page will be denied here.  Also, if you have the wrong connection security you'll get denied.  I think this is correct.

2. If the user is logged in, install their subject in the security system.  If not, install the default subject.

3. check the WRP. If passed, continue.

4. if denied, and the user is logged in, deny

4.b. if denied and the user is not logged in, redirect.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-3154) Web authorization should only use jacc calls

Posted by "David Jencks (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/GERONIMO-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12496155 ] 

David Jencks commented on GERONIMO-3154:
----------------------------------------

This should be fixed in rev 538344 for jetty.  This requires JETTY-340 to be resolved to avoid some NPEs.

> Web authorization should only use jacc calls
> --------------------------------------------
>
>                 Key: GERONIMO-3154
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3154
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web
>    Affects Versions: 2.0-M6
>            Reporter: David Jencks
>         Assigned To: David Jencks
>             Fix For: 2.0-M6
>
>
> At Javaone I had a chat with Ron Monzillo who pointed out to me how to use only the mandated jacc permission checks to decide whether a request should be denied, allowed, or redirected for login.  We need to change the jetty and tomcat security stuff to do this.
> Sequence of steps I think should work:
> 1. check UDP.  Any excluded page will be denied here.  Also, if you have the wrong connection security you'll get denied.  I think this is correct.
> 2. If the user is logged in, install their subject in the security system.  If not, install the default subject.
> 3. check the WRP. If passed, continue.
> 4. if denied, and the user is logged in, deny
> 4.b. if denied and the user is not logged in, redirect.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (GERONIMO-3154) Web authorization should only use jacc calls

Posted by "David Jencks (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/GERONIMO-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Jencks closed GERONIMO-3154.
----------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.0-M6)
                   2.0-M7

Tomcat was already only using the official jacc calls, but there was some cruft to clean up in rev 546336.

> Web authorization should only use jacc calls
> --------------------------------------------
>
>                 Key: GERONIMO-3154
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3154
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web
>    Affects Versions: 2.0-M6
>            Reporter: David Jencks
>            Assignee: David Jencks
>             Fix For: 2.0-M7
>
>
> At Javaone I had a chat with Ron Monzillo who pointed out to me how to use only the mandated jacc permission checks to decide whether a request should be denied, allowed, or redirected for login.  We need to change the jetty and tomcat security stuff to do this.
> Sequence of steps I think should work:
> 1. check UDP.  Any excluded page will be denied here.  Also, if you have the wrong connection security you'll get denied.  I think this is correct.
> 2. If the user is logged in, install their subject in the security system.  If not, install the default subject.
> 3. check the WRP. If passed, continue.
> 4. if denied, and the user is logged in, deny
> 4.b. if denied and the user is not logged in, redirect.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.