JAASJettyRealm not shared enough
--------------------------------
Key: GERONIMO-1440
URL: http://issues.apache.org/jira/browse/GERONIMO-1440
Project: Geronimo
Type: Bug
Components: web
Versions: 1.0
Reporter: David Jencks
Assigned to: David Jencks
Fix For: 1.1
There are a bunch of problems that lead back to missing JAASJettyRealms or
multiple "equal" JAASJettyRealms.
A JAASJettyRealm has an (external) realm name from the web.xml and an internal
geronimo realm name and a map of user name to principal (which includes the
Subject for that user) for logged in users. If you supply a (internal)
security realm name, a JAASJettyRealm is registered with the HTTPContext and
used for authentication, reauthentication, etc. If you don't supply a security
realm name, but there is a realm name, then jetty tries to get the realm from
the JettyServer. Here are some problems:
1. we never register our JAASJettyRealms with JettyServer, so if you don't
supply a security realm name you eventually get NPEs if the app calls
isUserInRole etc etc.
lets assume we fix (1)
2. If you have 2 apps A and B deployed with the same external realm name and
internal realm name, only the last to start is registered with the
JettyServer. Any other app C using the same realm name but no internal realm
name will get the second realm. If we did a x-context dispatch from the first
app A to C C will be using the realm from B.
I think that there should only be one JAASJettyRealm per external realm name,
based on servlet spec 2.4 section 12.6. If you disagree, please say why :-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
