Bugs item #489294, was opened at 2001-12-05 00:58 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=376685&aid=489294&group_id=22866
Category: JBossServer Group: v2.4 BETA (stable) Status: Open Resolution: None Priority: 5 Submitted By: Konstantin Pribluda (ko5tik) Assigned to: Nobody/Anonymous (nobody) Summary: Security Problem (Stopper!!!!) Initial Comment: I encountered this problem in JB 2.4.2-TC-3.2.1 ( not sure with tomcat ) and tested it with JB-244/TC-3.2.4 Problem can be reproduced really easy: 1. Take JSP which includes another jsp via <jsp:include>. 2. Put it under security control. 3. Put following in cour jsp: <%= SecurityAssociation.getPrincipal().toString() %> before <jsp:include> And place it also after <jsp:include> 4. Watch those funny null pointer errors, and try to find where they come, and what they mean. Conclusion: with Principal stored SecurityAssociation == null you can forget about security stuff while calling your EJB - they get no principal and no roles propagated to them. Why it happens ( my humble option ): <jsp:include> issues some kind of subrequest, so JBossSecurityMgrRealm.postService() is called. It resets any security setting. PS: I need a quick solution. ASAP, if possible I'm not sure I can fix it myself the right way. Was principal zeroing good for something? Can I subclass JBossSecurityMgrRealm and disable this behaviour? What would happen then? ---------------------------------------------------------------------- >Comment By: Konstantin Pribluda (ko5tik) Date: 2001-12-05 10:03 Message: Logged In: YES user_id=91100 Well, I just waded through tomcat code, and also added some debug outputs anf found that JbossSecurityMgrReaml resets SecurityAssociation on end of every subrequest. This is WRONG!!!!! After first <jsp:include> there is no more principal. ( BTW, why do you reset it? To prevent leaking of authentication to not-secured template objects? ) ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=376685&aid=489294&group_id=22866 _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development