Hey!
Is there anybody out there?
No objections, no comments, so I'll do the proposed change.
Any objections or comments now?
:-)
Oleg
On Tuesday 19 December 2000 02:08, Oleg Nitz wrote:
> Hi All,
>
> Now JBoss security is optional in the following sense:
> if client doesn't set Principal, authentication is not performed.
> I don't see good reasons for this strange rule.
> Does anybody see?
> I propose the following rules:
> 1) authentication is performed iff the security-manager is set for
> the given bean.
> 2) it is allowed that security-manager is set, but
> role-mapping-manager is not set (now this is not allowed).
> In this case:
> a) throw illegal access exception iff the set of roles for the
> given method is non-empty,
> b) isCallerInRole() always returns false
>
> Any objections or comments?
>
> Regards,
> Oleg
