[ http://issues.apache.org/jira/browse/GERONIMO-1463?page=all ]
John Sisson updated GERONIMO-1463:
----------------------------------
Fix Version: 1.0.1
Description:
TomcatGeronimoRealm has a complicated way of trying to determine the servlet
name by resolving the context path. Unfortunately it doesn't work very well.
However, the servlet name is available from request.getWrapper.getName(). The
wrapper in question wraps the servlet, not the request, so it should always be
available.
In addition, the current code only sets the request on a thread local when you
access a secured page. However there seems to be agreement that access to
unsecured pages after you have logged on should still have the Subject
available and give "logged in" answers to isUserInRole. Therefore we have to
set the request when accessing any page. Moving the setting to
PolicycontextValve should suffice.
was:
TomcatGeronimoRealm has a complicated way of trying to determine the servlet
name by resolving the context path. Unfortunately it doesn't work very well.
However, the servlet name is available from request.getWrapper.getName(). The
wrapper in question wraps the servlet, not the request, so it should always be
available.
In addition, the current code only sets the request on a thread local when you
access a secured page. However there seems to be agreement that access to
unsecured pages after you have logged on should still have the Subject
available and give "logged in" answers to isUserInRole. Therefore we have to
set the request when accessing any page. Moving the setting to
PolicycontextValve should suffice.
Version: 1.0
(was: 1.1)
Assign To: John Sisson (was: David Jencks)
Had IRC chat with djencks and he said this fix makes a "isUserInRole" test in
jetspeed 2 start working. IIUC it involves one servlet including another
servlet in another web app that in turn includes a jsp. The jsp asks
isUserInRole and it was getting the wrong answer.
He also agreed this change should be merged into the 1.0 branch.
> Tomcat doesn't always get the right servlet name when evaluating isUserInRole
> -----------------------------------------------------------------------------
>
> Key: GERONIMO-1463
> URL: http://issues.apache.org/jira/browse/GERONIMO-1463
> Project: Geronimo
> Type: Bug
> Components: Tomcat
> Versions: 1.0
> Reporter: David Jencks
> Assignee: John Sisson
> Fix For: 1.1, 1.0.1
>
> TomcatGeronimoRealm has a complicated way of trying to determine the servlet
> name by resolving the context path. Unfortunately it doesn't work very well.
> However, the servlet name is available from request.getWrapper.getName().
> The wrapper in question wraps the servlet, not the request, so it should
> always be available.
> In addition, the current code only sets the request on a thread local when
> you access a secured page. However there seems to be agreement that access
> to unsecured pages after you have logged on should still have the Subject
> available and give "logged in" answers to isUserInRole. Therefore we have to
> set the request when accessing any page. Moving the setting to
> PolicycontextValve should suffice.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
