It ended up being a bug in Jetty. For form based auth, jetty doesn't call user.authenticate() (except on the first login post) and so it doesn't associat a subject with activeSubject in the security manager. So when it tries to authorize the user in the role, the subject is null and so it fails.
Thanks for your patience. I wonder if there could be some warning spit out when the subject is null. I don't know if there are any legitimate situations where that should happen, but if there aren't, it might be good to log a warning so this type of thing would be easier to detect. Thank you, -- Joel Shellman iKestrel, Inc. http://www.ikestrel.com/ On Thu, 2001-10-18 at 01:07, Scott M Stark wrote: > There are many testcases for security in the jbosstest unit tests and 2.4.3 > works fine. Look at those and if you think you really have a bug post > an example to sourceforge. > > xxxxxxxxxxxxxxxxxxxxxxxx > Scott Stark > > At least I'm pretty sure. I'm doing source level debugging and > > activeSubject (the thread local variable) never gets set during a > > request. > > > > Well, this results in the role never being authorized because line 195 > > always returns null (the thread local always returns null because it's > > never set for this thread). Thus on line 263, subject is null, and so > > doesUserHaveRole() returns false. > > > > I put in break points at the only two points that I saw that every set > > activeSubject, and neither one was hit during a request. > > > > Can anyone help me get a work around or fix for this? _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
