> -----Original Message-----
> From: Jeremy Boynes [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 10, 2004 1:19 PM
>
> [EMAIL PROTECTED] wrote:
>
> > dblevins 2004/02/10 03:06:27
> >
> > Modified:
modules/security/src/java/org/apache/geronimo/security
> > ContextManager.java
> > Log:
> > Modified isCallerInRole and getCallerPrinciple to handle the
situation
> > where the caller is not known, as is the case when the security
> interceptor
> > is dissabled.
> >
>
> Hey David
>
> I have concerns about disabling the security interceptor - isn't that
> going to leave us wide open?
>
> If we do it, can't we just replace it with a 'null' interceptor that
> just injects a dummy principal. That way all the downstream code can
> work as usual and we are less likely to break things like IIOP
propagation.
I was thinking that there would be default principal/subject that will
always show up if the user hasn't logged in. This default subject will
always be put into the ContextManager if there is no authenticated
Subject. This magic would take place in the JNDI "security" wrappers
that wrap the client containers. These wrappers will pick up the
authenticated subject from the Thread Subject and places it into the
ContextManager; there are mechanisms that make obtaining the Thread
Subject more efficient.
When this code is in place, I could safely undo David's temporary fix.
Regards,
Alan
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
