[ http://issues.apache.org/jira/browse/GERONIMO-832?page=all ] Gianny Damour closed GERONIMO-832: ----------------------------------
Fix Version: 1.0-M5 Resolution: Fixed Fixed in 226718. Modified: geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java geronimo/trunk/modules/tomcat-builder/src/java/org/apache/geronimo/tomcat/deployment/TomcatModuleBuilder.java > Calling isUserInRole from JSP not mapped to a Servlet > ----------------------------------------------------- > > Key: GERONIMO-832 > URL: http://issues.apache.org/jira/browse/GERONIMO-832 > Project: Geronimo > Type: Bug > Components: security > Versions: 1.0-M3, 1.0-M4 > Reporter: Gianny Damour > Assignee: Gianny Damour > Priority: Minor > Fix For: 1.0-M5 > > Calling isUserInRole from a JSP not mapped to a servlet fails with Jetty as > the servlet container. > In the case of JSP not explicitly mapped in the web.xml DD, isUserInRole("<a > role name>") triggers a validation of the following Permission: > (javax.security.jacc.WebRoleRefPermission jsp <a role name>) > The name "jsp" is sourced from the JettyServletHolder, which is automatically > registered to handle the processing of *.jsp files. > As pointed out by Jeff, it seems that the JACC specification mandates another > behavior: > * the name "jsp" should actually be an empty string; and > * for each security role declared by the web.xml DD, a WebRoleRefPermission > permission should be automatically added. The name of this Permission should > be an empty string and the action should be the role name. > Excerpt of the JACC specification talking about this specific behavior: > " > B.19 Calling isUserInRole from JSP not mapped to a Servlet > Checking a WebRoleRefPermission requires the name of a Servlet to identify > the scope of the reference to role translation. The name of a scoping servlet > has not been established for an unmapped JSP. > Resolution? For every security role in the web application add a > WebRoleRefPermission to the corresponding role. The name of all such > permissions shall be the empty string, and the actions of each permission > shall be the corresponding role name. When checking a WebRoleRefPermission > from a JSP not mapped to a servlet, use a permission with the empty string as > its name and with the argument to isUserInRole as its actions. This > specification will require that containers implement this resolution when the > Servlet Specification > requires that containers test the caller for membership in the role named by > the argument to isUserInRole when isUserInRole is called from an unmapped JSP. > " -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira