[ http://issues.apache.org/jira/browse/GERONIMO-1012?page=comments#action_12329378 ]
David Jencks commented on GERONIMO-1012: ---------------------------------------- I've fixed this for web apps that have no security constraints but are part of a secured j2ee application. I don't see how to fix it for unsecured pages on web apps with constraints: it appears we'd have to rewrite/copy/modify the authentication valves. I'm leaving this open in the hopes someone can find a better solution. Sending modules/tomcat/project.xml Sending modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java Adding modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/DefaultSubjectValve.java Sending modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java Transmitting file data .... Committed revision 289136. > Tomcat integration does not set a subject in an unsecured web module in a > secured ejb application > ------------------------------------------------------------------------------------------------- > > Key: GERONIMO-1012 > URL: http://issues.apache.org/jira/browse/GERONIMO-1012 > Project: Geronimo > Type: Bug > Components: Tomcat > Versions: 1.0-M5 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 1.0-M5 > > In the jetty integration, in SecurityContextBeforeAfter, a request for an > unsecured page results in the default subject being set in the ContextManager > (line 288). This provides a way to call secured ejbs and also provides a > source for credentials for calling secured web services. > In tomcat, we don't do anything like that: in particular there is no source > of credentials for secured web services. > I think the simplest solution is to, if the app is secured, to add another > valve after the standard tomcat security valve, that sets the default subject > into the ContextManager if none is there already. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira