Clearing both the principal and credential is required to indicate an unauthorized user. The existence of the non-null credential and a null pricinpal will cause the problem seen by Ignacio.
xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Jan Bartel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, March 22, 2002 2:36 AM Subject: Re: [jetty-discuss] [Fwd: [JBoss-dev] Authentication with Jetty] > OK chaps, I'm going to have a shot at providing a solution to this. > > I think what is happening is that Jetty is only setting the Principal > to null after it is finished handling a request, rather than both the > Principal *and* the Credential. Therefore, when no user has been > authenticated, both Principal and Credential will be null. However, > after a user has been authenticated, there will be a thread with a null > Principal but a still set Credential. > > Now I haven't fully traced back the intricacies of the security code, > but I notice that there are a few tests like: > if (username == null && password == null) > use the unauthenticatedIdentity; > > I am assuming that maybe the username and password are obtained from the > thread's SecurityAssociation.getPrincipal() and > SecurityAssociation.getPassword(). > > So, in short I've made sure we null out *both* > SecurityAssociation.Principal and SecurityAssociation.Credential. > > Update your tree to get the new > $JBOSSHOME/jetty/src/main/org/jboss/jetty/Jetty.java. > > If that doesn't fix it, then I definitely give up :-) > > Jan > > _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
