Hi Luis, I've noticed to related issues: https://issues.apache.org/jira/browse/OPENEJB-984 https://issues.apache.org/jira/browse/OPENEJB-984 https://issues.apache.org/jira/browse/OPENEJB-1120 https://issues.apache.org/jira/browse/OPENEJB-1120
It seems to me, the fix is the same. Is that right? Did i misunderstand something? Jean-Louis Luis F. Planella Gonzalez wrote: > > TomcatSecurityService overrides SecurityService's getLogicalRoles() method > to handle his known principal types: TomcatUser and RunAsRole. > However, it ignores other principals. The default behavior of > SecurityService is to grant roles when the principal name matches the > logical role name.] > In practice, this will allow TomcatSecurityService to grant the "guest" > role when no user is logged in. > > I've created https://issues.apache.org/jira/browse/OPENEJB-1120 with a > patch to fix it. > > There is also an old thread where I had already discussed this subject > with David: > http://old.nabble.com/Unauthenticated-principal-td21012809.html > However, here I've applied the sentence: "enough talking, show me the > code" ;) > > Luis Fernando Planella Gonzalez > > -- View this message in context: http://old.nabble.com/Patching-TomcatSecurityService-to-return-the-guest-role-when-nobody-is-logged-in-tp26815302p26897649.html Sent from the OpenEJB Dev mailing list archive at Nabble.com.
