[jira] Resolved: (JS2-496) J2 on tomcat 5.5.15: 403 returned to client browser when any user that doesn't have admin role attempts to log in

Randy Watler (JIRA) Wed, 01 Mar 2006 01:08:11 -0800

     [ http://issues.apache.org/jira/browse/JS2-496?page=all ]
     
Randy Watler resolved JS2-496:
------------------------------


    Fix Version: 2.1-dev
     Resolution: Fixed
      Assign To: Randy Watler

JS2-496 fix - Support strict interpretation of authenticated role names in 
web.xml for tomcat 5.5.14+:

- the '*' role name in <auth-constraint> tags is interpreted as any role define 
in the
  webapp web.xml file, (not any role the application chooses to pass in the 
JAAS subject).

- test for authenticated user using psuedo role returned to container using 
JAAS subject:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login/redirector</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>portal-user</role-name>
    </auth-constraint>
  </security-constraint>

- portal user psuedo role name can be specified in security-atn.xml 
configuration.

- default portal user psuedo role name is 'portal-user'.

- user roles defined in J2 remain included in the subject for those that wish 
to use
  finer grain tests at the container level.

- this feature may be refined if container managed security is refactored to 
support
  J2EE style role usage patterns.


> J2 on tomcat 5.5.15: 403 returned to client browser when any user that 
> doesn't have admin role attempts to log in
> -----------------------------------------------------------------------------------------------------------------
>
>          Key: JS2-496
>          URL: http://issues.apache.org/jira/browse/JS2-496
>      Project: Jetspeed 2
>         Type: Bug
>   Components: Security
>     Versions: 2.0-FINAL
>  Environment: Tomcat 5.5.15 (JDK 1.5, Apache 2, Fedora Core 3)
>     Reporter: Aaron Evans
>     Assignee: Randy Watler
>      Fix For: 2.1-dev

>
> When J2 is deployed on tomcat 5.5.15, whenever any user that does not have 
> the admin role logs in, a 403 is returned for the URI /login/redirector.
> This does not occur on earlier releases of tomcat (5.5.9 for example).
> The user is in fact authenticated, for if you delete the /login/redirector 
> from the URL in the browser and refresh, then the main page of the portal is 
> shown and the user is authenticated.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[jira] Resolved: (JS2-496) J2 on tomcat 5.5.15: 403 returned to client browser when any user that doesn't have admin role attempts to log in

Reply via email to