[ http://issues.apache.org/jira/browse/GERONIMO-1440?page=all ] David Jencks resolved GERONIMO-1440: ------------------------------------
Resolution: Fixed This patch shares info based on security realm name and basically ignores the realm-name from web.xml. You must supply a security-realm-name for any web app that asks e.g. isUserInRole(). Adding modules/jetty/src/java/org/apache/geronimo/jetty/InternalJAASJettyRealm.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainer.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyContainerImpl.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyEJBWebServiceContext.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Sending modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Sending modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java Transmitting file data ......... Committed revision 367430. > JAASJettyRealm not shared enough > -------------------------------- > > Key: GERONIMO-1440 > URL: http://issues.apache.org/jira/browse/GERONIMO-1440 > Project: Geronimo > Type: Bug > Components: web > Versions: 1.0 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 1.1 > > There are a bunch of problems that lead back to missing JAASJettyRealms or > multiple "equal" JAASJettyRealms. > A JAASJettyRealm has an (external) realm name from the web.xml and an > internal geronimo realm name and a map of user name to principal (which > includes the Subject for that user) for logged in users. If you supply a > (internal) security realm name, a JAASJettyRealm is registered with the > HTTPContext and used for authentication, reauthentication, etc. If you don't > supply a security realm name, but there is a realm name, then jetty tries to > get the realm from the JettyServer. Here are some problems: > 1. we never register our JAASJettyRealms with JettyServer, so if you don't > supply a security realm name you eventually get NPEs if the app calls > isUserInRole etc etc. > lets assume we fix (1) > 2. If you have 2 apps A and B deployed with the same external realm name and > internal realm name, only the last to start is registered with the > JettyServer. Any other app C using the same realm name but no internal realm > name will get the second realm. If we did a x-context dispatch from the > first app A to C C will be using the realm from B. > I think that there should only be one JAASJettyRealm per external realm name, > based on servlet spec 2.4 section 12.6. If you disagree, please say why :-). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira