[
https://issues.apache.org/jira/browse/GERONIMO-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Jencks closed GERONIMO-3154.
----------------------------------
Resolution: Fixed
Fix Version/s: (was: 2.0-M6)
2.0-M7
Tomcat was already only using the official jacc calls, but there was some cruft
to clean up in rev 546336.
> Web authorization should only use jacc calls
> --------------------------------------------
>
> Key: GERONIMO-3154
> URL: https://issues.apache.org/jira/browse/GERONIMO-3154
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: web
> Affects Versions: 2.0-M6
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.0-M7
>
>
> At Javaone I had a chat with Ron Monzillo who pointed out to me how to use
> only the mandated jacc permission checks to decide whether a request should
> be denied, allowed, or redirected for login. We need to change the jetty and
> tomcat security stuff to do this.
> Sequence of steps I think should work:
> 1. check UDP. Any excluded page will be denied here. Also, if you have the
> wrong connection security you'll get denied. I think this is correct.
> 2. If the user is logged in, install their subject in the security system.
> If not, install the default subject.
> 3. check the WRP. If passed, continue.
> 4. if denied, and the user is logged in, deny
> 4.b. if denied and the user is not logged in, redirect.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
