[jira] Resolved: (GERONIMO-1440) JAASJettyRealm not shared enough

Mon, 09 Jan 2006 16:06:17 -0800 

     [ http://issues.apache.org/jira/browse/GERONIMO-1440?page=all ]
     
David Jencks resolved GERONIMO-1440:
------------------------------------

    Resolution: Fixed

This patch shares info based on security realm name and basically ignores the 
realm-name from web.xml.  You must supply a security-realm-name for any web app 
that asks e.g. isUserInRole().

Adding         
modules/jetty/src/java/org/apache/geronimo/jetty/InternalJAASJettyRealm.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainer.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainerImpl.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JettyEJBWebServiceContext.java
Sending        modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java
Sending        
modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
Sending        
modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java
Transmitting file data .........
Committed revision 367430.   

> JAASJettyRealm not shared enough
> --------------------------------
>
>          Key: GERONIMO-1440
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1440
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1

>
> There are a bunch of problems that lead back to missing JAASJettyRealms or 
> multiple "equal" JAASJettyRealms.
> A JAASJettyRealm has an (external) realm name from the web.xml and an 
> internal geronimo realm name and a map of user name to principal (which 
> includes the Subject for that user) for logged in users.  If you supply a 
> (internal) security realm name, a JAASJettyRealm is registered with the 
> HTTPContext and used for authentication, reauthentication, etc.  If you don't 
> supply a security realm name, but there is a realm name, then jetty tries to 
> get the realm from the JettyServer.  Here are some problems:
> 1. we never register our JAASJettyRealms with JettyServer, so if you don't 
> supply a security realm name you eventually get NPEs if the app calls 
> isUserInRole etc etc.
> lets assume we fix (1)
> 2. If you have 2 apps  A and B deployed with the same external realm name and 
> internal realm name, only the last to start is registered with  the 
> JettyServer.  Any other app C using the same realm name but no internal realm 
> name will get the second realm.  If we did a x-context dispatch from the 
> first app A to C C will be using the realm from B.
> I think that there should only be one JAASJettyRealm per external realm name, 
> based on servlet spec 2.4 section 12.6.  If you disagree, please say why :-).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to