access to unprotected web resource after login does not use correct Subject
---------------------------------------------------------------------------
Key: GERONIMO-1425
URL: http://issues.apache.org/jira/browse/GERONIMO-1425
Project: Geronimo
Type: Bug
Components: Tomcat, web
Versions: 1.1
Reporter: David Jencks
Assigned to: David Jencks
Fix For: 1.1
This applies to both jetty and tomcat.
Currently we are installing the correct authenticated Subject in ContextManager
only when you access a protected resource. For any access to unprotected
resources, even after logon, we are installing the default Subject in the
ContextManager. This appears to violate this from servlet spec 2.4 12.7:
A security identity, or principal, must always be provided for use in a call to
an enterprise bean. The default mode in calls to enterprise beans from web
applications is for the security identity of a web user to be propagated to the
EJBTM container.
After logon, the security identity of the user is known, whether or not they
are visiting a protected resource. Therefore the default is to use this
identity in ejb calls, which for us requires putting the authenticated subject
in the ContextManager.
Alan Cabrera has some doubts that this spec language actually requires us to
implement the default behavior stated here, and I agree that a strict reading
does not seem to require this, but IIUC we agree that we should implement this
behavior anyway.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
