On Tue, Feb 10, 2004 at 10:19:22AM -0800, Jeremy Boynes wrote:
> [EMAIL PROTECTED] wrote:
>
> >dblevins 2004/02/10 03:06:27
> >
> > Modified: modules/security/src/java/org/apache/geronimo/security
> > ContextManager.java
> > Log:
> > Modified isCallerInRole and getCallerPrinciple to handle the situation
> > where the caller is not known, as is the case when the security
> > interceptor
> > is dissabled.
> >
>
> Hey David
>
> I have concerns about disabling the security interceptor - isn't that
> going to leave us wide open?
Just using your code:
if (setSecurityInterceptor) {
firstInterceptor = new EJBSecurityInterceptor(firstInterceptor,
contextId, new PermissionManager(ejbName, vopFactory.getSignatures()));
}
>
> If we do it, can't we just replace it with a 'null' interceptor that
> just injects a dummy principal. That way all the downstream code can
> work as usual and we are less likely to break things like IIOP propagation.
Sounds like a plan.
>
> --
> Jeremy
--
David
