[jira] Resolved: (GERONIMO-1440) JAASJettyRealm not shared enough

Mon, 09 Jan 2006 02:23:48 -0800 

     [ http://issues.apache.org/jira/browse/GERONIMO-1440?page=all ]
     
David Jencks resolved GERONIMO-1440:
------------------------------------

    Resolution: Fixed

(also fixes GERONIMO-1425 for jetty).  This makes there be only one 
JAASJettyRealm per external realm name, and makes any app that uses the realm 
name get access to the same instance, as long as one app includes an internal 
security realm name.  I'm leaving this resolved but unclosed in case anyone 
objects to this behavior.

Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainer.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainerImpl.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
Transmitting file data ......
Committed revision 367263. 

> JAASJettyRealm not shared enough
> --------------------------------
>
>          Key: GERONIMO-1440
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1440
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1

>
> There are a bunch of problems that lead back to missing JAASJettyRealms or 
> multiple "equal" JAASJettyRealms.
> A JAASJettyRealm has an (external) realm name from the web.xml and an 
> internal geronimo realm name and a map of user name to principal (which 
> includes the Subject for that user) for logged in users.  If you supply a 
> (internal) security realm name, a JAASJettyRealm is registered with the 
> HTTPContext and used for authentication, reauthentication, etc.  If you don't 
> supply a security realm name, but there is a realm name, then jetty tries to 
> get the realm from the JettyServer.  Here are some problems:
> 1. we never register our JAASJettyRealms with JettyServer, so if you don't 
> supply a security realm name you eventually get NPEs if the app calls 
> isUserInRole etc etc.
> lets assume we fix (1)
> 2. If you have 2 apps  A and B deployed with the same external realm name and 
> internal realm name, only the last to start is registered with  the 
> JettyServer.  Any other app C using the same realm name but no internal realm 
> name will get the second realm.  If we did a x-context dispatch from the 
> first app A to C C will be using the realm from B.
> I think that there should only be one JAASJettyRealm per external realm name, 
> based on servlet spec 2.4 section 12.6.  If you disagree, please say why :-).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to