[ http://issues.apache.org/jira/browse/GERONIMO-1012?page=all ]
David Jencks closed GERONIMO-1012:
----------------------------------
Fix Version: 1.1
(was: 1.0-M5)
Resolution: Fixed
Jeff pointed out how to add the DefaultSubjectValve after the authentication
valve. This fixes the problems for unauthenticated pages in a secured web app.
Sending
modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
Transmitting file data .
Committed revision 366121.
> Tomcat integration does not set a subject in an unsecured web module in a
> secured ejb application
> -------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-1012
> URL: http://issues.apache.org/jira/browse/GERONIMO-1012
> Project: Geronimo
> Type: Bug
> Components: Tomcat
> Versions: 1.0-M5
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 1.1
>
> In the jetty integration, in SecurityContextBeforeAfter, a request for an
> unsecured page results in the default subject being set in the ContextManager
> (line 288). This provides a way to call secured ejbs and also provides a
> source for credentials for calling secured web services.
> In tomcat, we don't do anything like that: in particular there is no source
> of credentials for secured web services.
> I think the simplest solution is to, if the app is secured, to add another
> valve after the standard tomcat security valve, that sets the default subject
> into the ContextManager if none is there already.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
