[ http://issues.apache.org/jira/browse/GERONIMO-1425?page=all ]
David Jencks updated GERONIMO-1425:
-----------------------------------
Fix Version: 1.1
patch ported to 1.1 in rev 395178
> access to unprotected web resource after login does not use correct Subject
> ---------------------------------------------------------------------------
>
> Key: GERONIMO-1425
> URL: http://issues.apache.org/jira/browse/GERONIMO-1425
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: Tomcat, web
> Versions: 1.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 1.2, 1.1
>
> This applies to both jetty and tomcat.
> Currently we are installing the correct authenticated Subject in
> ContextManager only when you access a protected resource. For any access to
> unprotected resources, even after logon, we are installing the default
> Subject in the ContextManager. This appears to violate this from servlet
> spec 2.4 12.7:
> A security identity, or principal, must always be provided for use in a call
> to an enterprise bean. The default mode in calls to enterprise beans from web
> applications is for the security identity of a web user to be propagated to
> the EJBTM container.
> After logon, the security identity of the user is known, whether or not they
> are visiting a protected resource. Therefore the default is to use this
> identity in ejb calls, which for us requires putting the authenticated
> subject in the ContextManager.
> Alan Cabrera has some doubts that this spec language actually requires us to
> implement the default behavior stated here, and I agree that a strict reading
> does not seem to require this, but IIUC we agree that we should implement
> this behavior anyway.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
