[jira] Assigned: (GERONIMO-832) Calling isUserInRole from JSP not mapped to a Servlet

Sun, 31 Jul 2005 19:10:02 -0700 

     [ http://issues.apache.org/jira/browse/GERONIMO-832?page=all ]

Gianny Damour reassigned GERONIMO-832:
--------------------------------------

    Assign To: Gianny Damour

> Calling isUserInRole from JSP not mapped to a Servlet
> -----------------------------------------------------
>
>          Key: GERONIMO-832
>          URL: http://issues.apache.org/jira/browse/GERONIMO-832
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M3, 1.0-M4
>     Reporter: Gianny Damour
>     Assignee: Gianny Damour
>     Priority: Minor

>
> Calling isUserInRole from a JSP not mapped to a servlet fails with Jetty as 
> the servlet container.
> In the case of JSP not explicitly mapped in the web.xml DD, isUserInRole("<a 
> role name>") triggers a validation of the following Permission: 
> (javax.security.jacc.WebRoleRefPermission jsp <a role name>)
> The name "jsp" is sourced from the JettyServletHolder, which is automatically 
> registered to handle the processing of *.jsp files.
> As pointed out by Jeff, it seems that the JACC specification mandates another 
> behavior:
> * the name "jsp" should actually be an empty string; and
> * for each security role declared by the web.xml DD, a WebRoleRefPermission 
> permission should be automatically added.  The name of this Permission should 
> be an empty string and the action should be the role name.
> Excerpt of the JACC specification talking about this specific behavior:
> "
> B.19 Calling isUserInRole from JSP not mapped to a Servlet
> Checking a WebRoleRefPermission requires the name of a Servlet to identify 
> the scope of the reference to role translation. The name of a scoping servlet 
> has not been established for an unmapped JSP.
> Resolution? For every security role in the web application add a 
> WebRoleRefPermission to the corresponding role. The name of all such 
> permissions shall be the empty string, and the actions of each permission 
> shall be the corresponding role name. When checking a WebRoleRefPermission 
> from a JSP not mapped to a servlet, use a permission with the empty string as 
> its name and with the argument to isUserInRole as its actions. This 
> specification will require that containers implement this resolution when the 
> Servlet Specification
> requires that containers test the caller for membership in the role named by 
> the argument to isUserInRole when isUserInRole is called from an unmapped JSP.
> "

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to