TomcatSecurityService and unauthenticated user roles
----------------------------------------------------
Key: OPENEJB-984
URL: https://issues.apache.org/jira/browse/OPENEJB-984
Project: OpenEJB
Issue Type: Improvement
Components: tomcat
Affects Versions: 3.1
Environment: Linux x86_64, Java 6
Reporter: Luis Fernando Planella Gonzalez
Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver
component.
It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a
role with the same name as the principal name), and only interprets principals
with it's own inner classes: TomcatUser and RunAsRole.
Since the default user is not of either classes, it yields an empty set of
roles.
I see 2 possible solutions:
* Add a way to customize which role should be granted to an unauthenticated user
* Delegate to the default AbstractSecurityService when no roles are granted,
like:
public Set<String> getLogicalRoles(Principal[] principals, Set<String>
logicalRoles) {
// current implementation
if (roles.isEmpty()) {
return super.getLogicalRoles(principals, logicalRoles);
}
}
See http://www.nabble.com/Unauthenticated-principal-td21012809.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
