On Jan 6, 2006, at 1:14 PM, Aaron Mulder wrote:
I think it would be nice to behave like you're describing, but I
believe that the spec does not require it. That is, if the default
principal is "anonymous" and the current user is "aaron", I think it's
legit to have protected pages use the "aaron" subject and
non-protected pages use the "anonymous" subject (I'm pretty sure some
other servers work that way), but it would be nicer if both types of
pages used the "aaron" subject until that session expired or the user
logs out.
Can you point to another server that works this way? I think the
spec is needlessly unclear but does (barely) require the behavior I'm
proposing: alan is not quite so sure. I'd also be interested in an
explanation of how to read the spec so our current behavior is more
clearly correct:-)
thanks
david jencks
Aaron
On 1/6/06, David Jencks (JIRA) <[email protected]> wrote:
access to unprotected web resource after login does not use
correct Subject
---------------------------------------------------------------------
------
Key: GERONIMO-1425
URL: http://issues.apache.org/jira/browse/GERONIMO-1425
Project: Geronimo
Type: Bug
Components: Tomcat, web
Versions: 1.1
Reporter: David Jencks
Assigned to: David Jencks
Fix For: 1.1
This applies to both jetty and tomcat.
Currently we are installing the correct authenticated Subject in
ContextManager only when you access a protected resource. For any
access to unprotected resources, even after logon, we are
installing the default Subject in the ContextManager. This
appears to violate this from servlet spec 2.4 12.7:
A security identity, or principal, must always be provided for use
in a call to an enterprise bean. The default mode in calls to
enterprise beans from web applications is for the security
identity of a web user to be propagated to the EJBTM container.
After logon, the security identity of the user is known, whether
or not they are visiting a protected resource. Therefore the
default is to use this identity in ejb calls, which for us
requires putting the authenticated subject in the ContextManager.
Alan Cabrera has some doubts that this spec language actually
requires us to implement the default behavior stated here, and I
agree that a strict reading does not seem to require this, but
IIUC we agree that we should implement this behavior anyway.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
