PROTECTED]
Betreff: Re: [jetty-discuss] Re: [JBoss-dev] Jetty3.1.5, Axis Basic
Authentication Problem
Luke,
I stand corrected. It is the '*' role behaviour that should be used.
The lack of any role means no access.I knew the 2.3 spec had defined
both these cases, but got them mixed up.
Jetty4
Cristoph,
I think the problem is that you are using the NONE role name. This is
actually a jetty extension and not standard (as the standard say very very
little about any of this...)
With a role of NONE, the security handler does not insist that the user
is authenticated. It was added so
Greg Wilkins wrote:
Cristoph,
Eitherway, you do not want the semantics of NONE, you want the user
to be authenticated, but you do not care what group they are in.
Again, Jetty has an extension to the spec to support this. All users
are in the role org.mortbay.http.User. However
Luke,
I stand corrected. It is the '*' role behaviour that should be used.
The lack of any role means no access.I knew the 2.3 spec had defined
both these cases, but got them mixed up.
Jetty4 will definitely support this style of security constraint soon.
I think Jetty3 can also be made
Hi Greg,
Regarding the session key stuff we discussed briefly recently, you just
mentioned that JBoss doesn't use the HashUserRealm? Does this mean that
it uses a different way of generating session IDs?
If so, can someone point out the class?
cheers,
Luke.
--
Luke Taylor.
