Jan how I love you. That fixed it. I was trying to write a repro case as Scott asked, but haven't been able to get the same behaviour. I prepared a servlet that was registered in jbosstest-web and reproduced my situation but I wasn't able to get my same bug.
Your fix worked, instead. Thanks a lot. > -----Mensaje original----- > De: Jan Bartel [mailto:[EMAIL PROTECTED]] > Enviado el: viernes, 22 de marzo de 2002 10:36 > Para: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Asunto: Re: [jetty-discuss] [Fwd: [JBoss-dev] Authentication with Jetty] > > > OK chaps, I'm going to have a shot at providing a solution to this. > > I think what is happening is that Jetty is only setting the Principal > to null after it is finished handling a request, rather than both the > Principal *and* the Credential. Therefore, when no user has been > authenticated, both Principal and Credential will be null. However, > after a user has been authenticated, there will be a thread with a null > Principal but a still set Credential. > > Now I haven't fully traced back the intricacies of the security code, > but I notice that there are a few tests like: > if (username == null && password == null) > use the unauthenticatedIdentity; > > I am assuming that maybe the username and password are obtained from the > thread's SecurityAssociation.getPrincipal() and > SecurityAssociation.getPassword(). > > So, in short I've made sure we null out *both* > SecurityAssociation.Principal and SecurityAssociation.Credential. > > Update your tree to get the new > $JBOSSHOME/jetty/src/main/org/jboss/jetty/Jetty.java. > > If that doesn't fix it, then I definitely give up :-) > > Jan > > Scott M Stark wrote: > > >>>I'm not following what you meant in your original post about > >>>"I get an exception one of each 3 times..." > >>> > >>Hit refresh -> ok > >>Hit refresh -> ok > >>Hit refresh -> Error 500 > >> > >>The error is thrown on any non-authenticated browser when there is an > >>authenticated one open. If you don't authenticate anyone (if you only > >> > > browse > > > >>the public zone) there is no error. > >> > >> > > That should not happen. Is the servlet accessing the ejb deployed in > > both the protected and unprotected areas? Try to reproduce the issue > > with a variation of the jbosstest-web.ear. > > > > > >>MyAuthEntry { > >> org.jboss.security.auth.spi.DatabaseServerLoginModule required > >> dsJndiName="java:/CanplasticaDS" > >> principalsQuery="SELECT PASSWORD AS Password FROM USUARIO > WHERE ID=?" > >> rolesQuery="SELECT ROLE AS Role, 'Roles' AS RoleGroup FROM > ROLE WHERE > >>USU_ID = ?" > >> unauthenticatedIdentity="nobody" <-------------- > >>; > >>}; > >> > >>Also the nobody user has a principal record, because if not it > also wasn't > >>allowed to access the app. > >> > > That should work then. > > > > > > > > _______________________________________________ > > Jboss-development mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-development > > > > > > ------------------------ Yahoo! Groups Sponsor ---------------------~--> > Tiny Wireless Camera under $80! > Order Now! FREE VCR Commander! > Click Here - Only 1 Day Left! > http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/CefplB/TM > ---------------------------------------------------------------------~-> > > For the latest information about Jetty, please see http://jetty.mortbay.org To alter your subscription to this list goto http://groups.yahoo.com/group/jetty-discuss Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
