Hi Jan :) > (I'm cross posting this to jboss-dev and jetty-discuss) > > I think your current problem has in fact always been a problem with > your webapp, but it has just been unmasked by a modification to the > thread authentication stuff we did recently. What we did was to ensure > that when a Jetty/JBoss thread has finished servicing a request, the > user principal and credentials were disassociated with the thread - > otherwise all subsquent work done by that thread in servicing another > request would use that security information.
Yep, I know. I helped to catch that bug on. Modest help, anyway. > So, in your case, what I think is happening is that your webapp has > appeared to work in the past because the principal and credentials from > the hit with basic authentication was remaining attached to the > servicing thread, so the subsequent "non-authenticated" hit was in fact > using them. Not probable. My application shows a different menu depending on the principal authenticated. When it's a nonauthenticated user the menu is the public one. Salesman, customers, sysadmin and director also have their own. That's why authentication failures are easy to get caught, they shout it out loud (menus have different colours). All my EJBs leave permissions open to everyone (access is only restricted on the web tier), so even non-authenticated users should have no problem accesing resources. Anyway, if I only open unathenticated browsers there is no problem, it only arises when I open and authenticate one of them. The bug arises then in the nonauthenticated browser. I don't feel comfortable asking for help past this point. I have enough info to get on by myself, so I'll give it a good try to see what's happening. If nobody is complaining about it it must be, as Marc said, 90% my fault. Thanks to everybody. _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
