[ https://issues.apache.org/jira/browse/GERONIMO-4124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12607023#action_12607023 ]
David Jencks commented on GERONIMO-4124: ---------------------------------------- work done on this issue in code: trunk rev. 670236 Improved run-as tests in testsuite trunk rev. 670237 The behavior in the tests agrees between jetty and tomcat but I don't think it's right. With this scenario: user logs in in role foo Servlet1 configured with run-as role baz forwards to servlet2 with no run-as role calls ejb the ejb sees only role foo. In other words forwarding to servlet 2 has erased the run-as information from servlet 1. In addition there's a questionable case: in the above scenario, should servlet 2 see foo or baz? Currently it sees foo. ------------------------------------------------- (1) is fixed; we install either the actual or default subject before checking WebUserDataPermissions and never call the non-jacc tomcat code (2) is invalid, the Subject comes directly from ContextManager (3) seems to be the only way to get form auth to work. I think it's causing the behavior I think is wrong noted above. > Tomcat jacc usage is messed up > ------------------------------ > > Key: GERONIMO-4124 > URL: https://issues.apache.org/jira/browse/GERONIMO-4124 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: Tomcat > Affects Versions: 2.0.2, 2.1.1, 2.2 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 2.0.x, 2.1.2, 2.2 > > > Several problems: > 1. UserDataPermissions are not getting evaluated by jacc due to the check for > Subject in handler data. > 2. Subject is never set into handler data (also a problem in jetty, dunno > about openejb). > 3. TomcatGeronimoRealm is calling ContextManager.setCallers before permission > checks. This is wrong. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.