[
https://issues.apache.org/jira/browse/GERONIMO-4124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12607023#action_12607023
]
David Jencks commented on GERONIMO-4124:
----------------------------------------
work done on this issue in code:
trunk rev. 670236
Improved run-as tests in testsuite
trunk rev. 670237
The behavior in the tests agrees between jetty and tomcat but I don't think
it's right. With this scenario:
user logs in in role foo
Servlet1 configured with run-as role baz
forwards to servlet2 with no run-as role
calls ejb
the ejb sees only role foo. In other words forwarding to servlet 2 has erased
the run-as information from servlet 1.
In addition there's a questionable case:
in the above scenario, should servlet 2 see foo or baz? Currently it sees foo.
-------------------------------------------------
(1) is fixed; we install either the actual or default subject before checking
WebUserDataPermissions and never call the non-jacc tomcat code
(2) is invalid, the Subject comes directly from ContextManager
(3) seems to be the only way to get form auth to work. I think it's causing
the behavior I think is wrong noted above.
> Tomcat jacc usage is messed up
> ------------------------------
>
> Key: GERONIMO-4124
> URL: https://issues.apache.org/jira/browse/GERONIMO-4124
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 2.0.2, 2.1.1, 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.0.x, 2.1.2, 2.2
>
>
> Several problems:
> 1. UserDataPermissions are not getting evaluated by jacc due to the check for
> Subject in handler data.
> 2. Subject is never set into handler data (also a problem in jetty, dunno
> about openejb).
> 3. TomcatGeronimoRealm is calling ContextManager.setCallers before permission
> checks. This is wrong.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
