[
https://issues.apache.org/jira/browse/GERONIMO-3581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12559648#action_12559648
]
Jarek Gawor commented on GERONIMO-3581:
---------------------------------------
There are two (related) issues here.
1) Forgetting about OpenEJB for a moment, ContextManager.login() creates
LoginContext. And LoginContext will throw NPE if the security realm is null. So
we could either add a null check to ContextManager.login() or pass a default
security realm name.
2) With OpenEJB, OpenEJB uses GeronimoSecurityService to login. That class has
two login functions. First, the one without security realm parameter passes
"OpenEJB" as a security realm. That security realm is not configured anywhere
(as far as I can tell) and therefore if that method is called the
authentication will always fail. The second GeronimoSecurityService.login()
function just calls ContextManager.login(). And it also does not perform null
check of the security realm. I guess we could add the default security realm
there but it won't address 1) if there is another path to
ContextManager.login().
> Default security relam name in ContextManager
> ---------------------------------------------
>
> Key: GERONIMO-3581
> URL: https://issues.apache.org/jira/browse/GERONIMO-3581
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.0.x, 2.1
> Reporter: Jarek Gawor
>
> ContextManager.login() should use a default security realm name if user did
> not pass a security realm. Null security realm will cause an exception in
> LoginContext. Right now becuase of this issue, a standalone ejb client must
> set a custom property ("openejb.authentication.realmName") in order for
> authentication to succeed.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
