Never mind...I didn't read the other emails...I'll have a look.
Jeff
Jeff Genender wrote:
I don't think we need another valve, could we not do this in one of the
existing valves?
Jeff
David Jencks (JIRA) wrote:
[ http://issues.apache.org/jira/browse/GERONIMO-1012?page=all ]
David Jencks reassigned GERONIMO-1012:
--------------------------------------
Assign To: Jeff Genender (was: David Jencks)
Jeff, can you think of a better way to do this?
Tomcat integration does not set a subject in an unsecured web module
in a secured ejb application
-------------------------------------------------------------------------------------------------
Key: GERONIMO-1012
URL: http://issues.apache.org/jira/browse/GERONIMO-1012
Project: Geronimo
Type: Bug
Components: Tomcat
Versions: 1.0-M5
Reporter: David Jencks
Assignee: Jeff Genender
Fix For: 1.0-M5
In the jetty integration, in SecurityContextBeforeAfter, a request
for an unsecured page results in the default subject being set in the
ContextManager (line 288). This provides a way to call secured ejbs
and also provides a source for credentials for calling secured web
services.
In tomcat, we don't do anything like that: in particular there is no
source of credentials for secured web services. I think the simplest
solution is to, if the app is secured, to add another valve after the
standard tomcat security valve, that sets the default subject into
the ContextManager if none is there already.