I think it would be nice to behave like you're describing, but I believe that the spec does not require it. That is, if the default principal is "anonymous" and the current user is "aaron", I think it's legit to have protected pages use the "aaron" subject and non-protected pages use the "anonymous" subject (I'm pretty sure some other servers work that way), but it would be nicer if both types of pages used the "aaron" subject until that session expired or the user logs out.
Aaron On 1/6/06, David Jencks (JIRA) <[email protected]> wrote: > access to unprotected web resource after login does not use correct Subject > --------------------------------------------------------------------------- > > Key: GERONIMO-1425 > URL: http://issues.apache.org/jira/browse/GERONIMO-1425 > Project: Geronimo > Type: Bug > Components: Tomcat, web > Versions: 1.1 > Reporter: David Jencks > Assigned to: David Jencks > Fix For: 1.1 > > > This applies to both jetty and tomcat. > > Currently we are installing the correct authenticated Subject in > ContextManager only when you access a protected resource. For any access to > unprotected resources, even after logon, we are installing the default > Subject in the ContextManager. This appears to violate this from servlet > spec 2.4 12.7: > > A security identity, or principal, must always be provided for use in a call > to an enterprise bean. The default mode in calls to enterprise beans from web > applications is for the security identity of a web user to be propagated to > the EJBTM container. > > After logon, the security identity of the user is known, whether or not they > are visiting a protected resource. Therefore the default is to use this > identity in ejb calls, which for us requires putting the authenticated > subject in the ContextManager. > > Alan Cabrera has some doubts that this spec language actually requires us to > implement the default behavior stated here, and I agree that a strict reading > does not seem to require this, but IIUC we agree that we should implement > this behavior anyway. > > -- > This message is automatically generated by JIRA. > - > If you think it was sent incorrectly contact one of the administrators: > http://issues.apache.org/jira/secure/Administrators.jspa > - > For more information on JIRA, see: > http://www.atlassian.com/software/jira > >
