Bugs item #468195, was opened at 2001-10-05 00:07 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=376685&aid=468195&group_id=22866
Category: CatalinaBundle Group: v2.4 (stable) Status: Open Resolution: None Priority: 5 Submitted By: Scott M Stark (starksm) Assigned to: Scott M Stark (starksm) Summary: The authentication logic is flawed Initial Comment: The org.jboss.web.catalina.security.JBossSecurityMgrRealm is not setting the principal it returns to null when the authentication fails. This is not being detected by the unit tests because they are only looking for a non-200 HTTP status code. The test needs to check for a 401 Unauthorized error code when failure is expected. The current failure scenario is that an invalid user or null user is authenticated due to the non-null principal being returned, but the user is not authorized to see anything. Thus, an HTTP error code of 403 Forbidden is returned and a browser client does not give the user a chance to enter login information. ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=376685&aid=468195&group_id=22866 _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
