[ http://issues.apache.org/jira/browse/GERONIMO-1425?page=comments#action_12362192 ]
David Jencks commented on GERONIMO-1425: ---------------------------------------- I beiieve this is fixed for jetty: the problem I had with Jetspeed is now solved. (also fixed GERONIMO-1440) Sending modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainer.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainerImpl.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Transmitting file data ...... Committed revision 367263. > access to unprotected web resource after login does not use correct Subject > --------------------------------------------------------------------------- > > Key: GERONIMO-1425 > URL: http://issues.apache.org/jira/browse/GERONIMO-1425 > Project: Geronimo > Type: Bug > Components: Tomcat, web > Versions: 1.1 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 1.1 > > This applies to both jetty and tomcat. > Currently we are installing the correct authenticated Subject in > ContextManager only when you access a protected resource. For any access to > unprotected resources, even after logon, we are installing the default > Subject in the ContextManager. This appears to violate this from servlet > spec 2.4 12.7: > A security identity, or principal, must always be provided for use in a call > to an enterprise bean. The default mode in calls to enterprise beans from web > applications is for the security identity of a web user to be propagated to > the EJBTM container. > After logon, the security identity of the user is known, whether or not they > are visiting a protected resource. Therefore the default is to use this > identity in ejb calls, which for us requires putting the authenticated > subject in the ContextManager. > Alan Cabrera has some doubts that this spec language actually requires us to > implement the default behavior stated here, and I agree that a strict reading > does not seem to require this, but IIUC we agree that we should implement > this behavior anyway. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira