[ http://issues.apache.org/jira/browse/JS2-302?page=comments#action_12330779 ]
Michael Lipp commented on JS2-302: ---------------------------------- I accept closing this issue. I just want to point out that the problem is not JBoss specific (though a solution may be). AFAIK, *every* Servlet container saves the credentials obtained from form based login somehow and re-uses them when accessing (secured) EJBs. So anyone using a portlet that accesses secured EJBs will run into this problem, independant of the AS used. It has always been a shortcoming of the servlet specification that there is no API to put new credentials in the store. The problem is well known. E.g. if you have a Web service, you cannot use form based authentication, yet you need to set credentials (coming with the request) if you want to access (secured) EJBs from your servlet (most people ignore the risks that arise from having unsecured EJBs and never notice, though). However, the AS specific solutions from the Web service domain are not easily transferable to Jetspeed. The only portable solution I can think of currently is (1) automatically logging the user out after a password change and requesting him to re-login (I have seen this on some sites) or (2) generating a response that makes the browser submit the authentication form with the new credentials automatically (requires JavaScript). I'll keep the issue on my list and look at it again if I have the time. > Password change not propagated to JBoss > --------------------------------------- > > Key: JS2-302 > URL: http://issues.apache.org/jira/browse/JS2-302 > Project: Jetspeed 2 > Type: Bug > Components: Security > Versions: 2.0-dev/cvs > Environment: JBoss/HSQL > Reporter: Michael Lipp > Assignee: Ate Douma > Fix For: 2.0-M4 > > In Tomcat/JBoss the credentials used to authenticate in the Web tier (Tomcat) > are save in some "global variables" during login. This information is > subsequently used when a servlet tries to access an EJB. This happens in the > security "adaption layer" of tomcat. > If a user changes his or her password, the saved credentials are not updated, > and as a consequence all accesses to EJBs fail. A workaround is to logout and > re-login after a password change (for the advanced user who knows what > happens ;-)). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
