You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "Michael Lipp (JIRA)" <je...@portals.apache.org> on 2005/06/27 10:27:58 UTC
[jira] Created: (JS2-302) Password change not propagated to JBoss
Password change not propagated to JBoss
---------------------------------------
Key: JS2-302
URL: http://issues.apache.org/jira/browse/JS2-302
Project: Jetspeed 2
Type: Bug
Components: Security
Versions: 2.0-dev/cvs
Environment: JBoss/HSQL
Reporter: Michael Lipp
In Tomcat/JBoss the credentials used to authenticate in the Web tier (Tomcat) are save in some "global variables" during login. This information is subsequently used when a servlet tries to access an EJB. This happens in the security "adaption layer" of tomcat.
If a user changes his or her password, the saved credentials are not updated, and as a consequence all accesses to EJBs fail. A workaround is to logout and re-login after a password change (for the advanced user who knows what happens ;-)).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Assigned: (JS2-302) Password change not propagated to JBoss
Posted by "Ate Douma (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-302?page=all ]
Ate Douma reassigned JS2-302:
-----------------------------
Assign To: Ate Douma
> Password change not propagated to JBoss
> ---------------------------------------
>
> Key: JS2-302
> URL: http://issues.apache.org/jira/browse/JS2-302
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-dev/cvs
> Environment: JBoss/HSQL
> Reporter: Michael Lipp
> Assignee: Ate Douma
>
> In Tomcat/JBoss the credentials used to authenticate in the Web tier (Tomcat) are save in some "global variables" during login. This information is subsequently used when a servlet tries to access an EJB. This happens in the security "adaption layer" of tomcat.
> If a user changes his or her password, the saved credentials are not updated, and as a consequence all accesses to EJBs fail. A workaround is to logout and re-login after a password change (for the advanced user who knows what happens ;-)).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-302) Password change not propagated to JBoss
Posted by "Michael Lipp (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-302?page=comments#action_12330779 ]
Michael Lipp commented on JS2-302:
----------------------------------
I accept closing this issue. I just want to point out that the problem is not JBoss specific (though a solution may be). AFAIK, *every* Servlet container saves the credentials obtained from form based login somehow and re-uses them when accessing (secured) EJBs. So anyone using a portlet that accesses secured EJBs will run into this problem, independant of the AS used.
It has always been a shortcoming of the servlet specification that there is no API to put new credentials in the store. The problem is well known. E.g. if you have a Web service, you cannot use form based authentication, yet you need to set credentials (coming with the request) if you want to access (secured) EJBs from your servlet (most people ignore the risks that arise from having unsecured EJBs and never notice, though). However, the AS specific solutions from the Web service domain are not easily transferable to Jetspeed.
The only portable solution I can think of currently is (1) automatically logging the user out after a password change and requesting him to re-login (I have seen this on some sites) or (2) generating a response that makes the browser submit the authentication form with the new credentials automatically (requires JavaScript).
I'll keep the issue on my list and look at it again if I have the time.
> Password change not propagated to JBoss
> ---------------------------------------
>
> Key: JS2-302
> URL: http://issues.apache.org/jira/browse/JS2-302
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-dev/cvs
> Environment: JBoss/HSQL
> Reporter: Michael Lipp
> Assignee: Ate Douma
> Fix For: 2.0-M4
>
> In Tomcat/JBoss the credentials used to authenticate in the Web tier (Tomcat) are save in some "global variables" during login. This information is subsequently used when a servlet tries to access an EJB. This happens in the security "adaption layer" of tomcat.
> If a user changes his or her password, the saved credentials are not updated, and as a consequence all accesses to EJBs fail. A workaround is to logout and re-login after a password change (for the advanced user who knows what happens ;-)).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Resolved: (JS2-302) Password change not propagated to JBoss
Posted by "Ate Douma (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-302?page=all ]
Ate Douma resolved JS2-302:
---------------------------
Fix Version: 2.0-M4
Resolution: Won't Fix
Michael,
This is an JBoss specific issue which I think is unlikely to be solved in Jetspeed as you need to use JBoss specific api to clear the credential cache.
And, as we cannot include *any* JBoss api specific code under Apache license, I'm resolving this as Won't Fix.
If you have other thoughts/solutions in mind, then please reopen.
> Password change not propagated to JBoss
> ---------------------------------------
>
> Key: JS2-302
> URL: http://issues.apache.org/jira/browse/JS2-302
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-dev/cvs
> Environment: JBoss/HSQL
> Reporter: Michael Lipp
> Assignee: Ate Douma
> Fix For: 2.0-M4
>
> In Tomcat/JBoss the credentials used to authenticate in the Web tier (Tomcat) are save in some "global variables" during login. This information is subsequently used when a servlet tries to access an EJB. This happens in the security "adaption layer" of tomcat.
> If a user changes his or her password, the saved credentials are not updated, and as a consequence all accesses to EJBs fail. A workaround is to logout and re-login after a password change (for the advanced user who knows what happens ;-)).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org