[ http://issues.apache.org/jira/browse/GERONIMO-1440?page=all ] David Jencks reopened GERONIMO-1440: ------------------------------------
I agree with Aaron that attaching significance to the realm-name is a bad idea. I think we can ignore the realm name but share the user within a internal geronimo security realm. This will require any web module that wants to call isUserInRole etc to supply a security-realm-name in the geronimo plan. > JAASJettyRealm not shared enough > -------------------------------- > > Key: GERONIMO-1440 > URL: http://issues.apache.org/jira/browse/GERONIMO-1440 > Project: Geronimo > Type: Bug > Components: web > Versions: 1.0 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 1.1 > > There are a bunch of problems that lead back to missing JAASJettyRealms or > multiple "equal" JAASJettyRealms. > A JAASJettyRealm has an (external) realm name from the web.xml and an > internal geronimo realm name and a map of user name to principal (which > includes the Subject for that user) for logged in users. If you supply a > (internal) security realm name, a JAASJettyRealm is registered with the > HTTPContext and used for authentication, reauthentication, etc. If you don't > supply a security realm name, but there is a realm name, then jetty tries to > get the realm from the JettyServer. Here are some problems: > 1. we never register our JAASJettyRealms with JettyServer, so if you don't > supply a security realm name you eventually get NPEs if the app calls > isUserInRole etc etc. > lets assume we fix (1) > 2. If you have 2 apps A and B deployed with the same external realm name and > internal realm name, only the last to start is registered with the > JettyServer. Any other app C using the same realm name but no internal realm > name will get the second realm. If we did a x-context dispatch from the > first app A to C C will be using the realm from B. > I think that there should only be one JAASJettyRealm per external realm name, > based on servlet spec 2.4 section 12.6. If you disagree, please say why :-). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira