[ http://jira.jboss.com/jira/browse/JBAS-1592?page=history ]
Scott M Stark closed JBAS-1592:
-------------------------------
Resolution: Done
This was specific to FORM-AUTH avoiding reauthentication against the Realm. The
JACC unit tests have been updated to run the FORM-AUTH tests to validate there
are no future regressions due to caching issues.
> JaccAuthorizationRealm always returns false on subsequent requests
> ------------------------------------------------------------------
>
> Key: JBAS-1592
> URL: http://jira.jboss.com/jira/browse/JBAS-1592
> Project: JBoss Application Server
> Type: Bug
> Components: Deployment Service, Security, Web (Tomcat) service
> Versions: JBossAS-4.0.2RC1, JBossAS-4.0.1 SP1
> Environment: Windows XP SP2
> JDK 1.5.0
> Reporter: Stephen Kinser
> Assignee: Scott M Stark
> Priority: Critical
> Fix For: JBossAS-4.0.2 Final, JBossAS-5.0 Alpha
>
> Original Estimate: 1 day
> Remaining: 1 day
>
> After the initial login, the JaccAuthorizationRealm always returns false
> because the PolicyContext handler for the Subject is not yet initialized when
> the realm is called. To figure out the root of the problem, an understanding
> of the calling order is necessary.
> The standard pipeline is composed of the following valves, in this order:
> - JaccContextValve
> - FormAuthenticator (the authenticator valve in my case)
> - SecurityAssociationValve
> - CustomPrincipalValve
> - StandardContextValve
> The SecurityAssociationValve is added to the pipeline after the authenticator
> valve due to the ordering of the code in the
> TomcatDeployer.performDeployInternal method. The SecurityAssociationValve is
> added after the init call to the server. The init call results in the
> authenticator valve being added to the pipeline.
> When a request is received by an authenticated user, the authenticator valve
> obtains control before the SecurityAssociationValve. The authenticator valve
> calls the JaccAuthorizationRealm for the authorization check. Part of the
> check is as follows:
> Subject caller = null;
> try
> {
> caller = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
> }
> catch (PolicyContextException e)
> {
> if( trace )
> log.trace("Failed to get subject from PolicyContext", e);
> }
> if( caller == null ) //*** is always true!
> {
> if( trace )
> log.trace("Denied, no active subject found in PolicyContext");
> return false;
> }
> The realm expects to have an initialized caller (Subject), but the caller is
> always null because it wasn't initialized yet since the
> SecurityAssociationValve that initializes the caller (Subject) doesn't
> receive control until after the authenticator valve is finished.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
JBoss-Development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-development
