[ http://issues.apache.org/jira/browse/GERONIMO-832?page=all ]
Gianny Damour closed GERONIMO-832:
----------------------------------
Fix Version: 1.0-M5
Resolution: Fixed
Fixed in 226718.
Modified:
geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java
geronimo/trunk/modules/tomcat-builder/src/java/org/apache/geronimo/tomcat/deployment/TomcatModuleBuilder.java
> Calling isUserInRole from JSP not mapped to a Servlet
> -----------------------------------------------------
>
> Key: GERONIMO-832
> URL: http://issues.apache.org/jira/browse/GERONIMO-832
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M3, 1.0-M4
> Reporter: Gianny Damour
> Assignee: Gianny Damour
> Priority: Minor
> Fix For: 1.0-M5
>
> Calling isUserInRole from a JSP not mapped to a servlet fails with Jetty as
> the servlet container.
> In the case of JSP not explicitly mapped in the web.xml DD, isUserInRole("<a
> role name>") triggers a validation of the following Permission:
> (javax.security.jacc.WebRoleRefPermission jsp <a role name>)
> The name "jsp" is sourced from the JettyServletHolder, which is automatically
> registered to handle the processing of *.jsp files.
> As pointed out by Jeff, it seems that the JACC specification mandates another
> behavior:
> * the name "jsp" should actually be an empty string; and
> * for each security role declared by the web.xml DD, a WebRoleRefPermission
> permission should be automatically added. The name of this Permission should
> be an empty string and the action should be the role name.
> Excerpt of the JACC specification talking about this specific behavior:
> "
> B.19 Calling isUserInRole from JSP not mapped to a Servlet
> Checking a WebRoleRefPermission requires the name of a Servlet to identify
> the scope of the reference to role translation. The name of a scoping servlet
> has not been established for an unmapped JSP.
> Resolution? For every security role in the web application add a
> WebRoleRefPermission to the corresponding role. The name of all such
> permissions shall be the empty string, and the actions of each permission
> shall be the corresponding role name. When checking a WebRoleRefPermission
> from a JSP not mapped to a servlet, use a permission with the empty string as
> its name and with the argument to isUserInRole as its actions. This
> specification will require that containers implement this resolution when the
> Servlet Specification
> requires that containers test the caller for membership in the role named by
> the argument to isUserInRole when isUserInRole is called from an unmapped JSP.
> "
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
