Details
Description
If you do a cross context include from web app A to web app B, the jacc contextID fetched from PolicyContext when you evaluate isUserInRole in web app B is the contextID for A, not B.
Presumably the cross context dispatch does not go through the PolicyContextValve for B. Here's a thread trace that demonstrates this, with a couple annotations.
http-0.0.0.0-8080-Processor24@43e daemon prio=5, in group "main", status: RUNNING
implies():80, GeronimoPolicy.java
implies():46, JaasPolicyCoordinator.java
implies():189, ProtectionDomain.java
checkPermission():254, AccessControlContext.java
hasRole():248, TomcatGeronimoRealm.java
isUserInRole():2128, Request.java
isUserInRole():761, RequestFacade.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():265, PortletRequestImpl.java
_jspService():46, roles.jsp
service():97, HttpJspBase.java
service():688, HttpServlet.java
service():322, JspServletWrapper.java
serviceJspFile():314, JspServlet.java
service():264, JspServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():672, ApplicationDispatcher.java
doInclude():574, ApplicationDispatcher.java
include():499, ApplicationDispatcher.java
include():72, JetspeedRequestDispatcher.java
doView():363, GenericServletPortlet.java
doDispatch():250, GenericPortlet.java
render():178, GenericPortlet.java
render():102, JetspeedPortletInstance.java
THIS IS WEB APP B
doGet():230, JetspeedContainerServlet.java
service():595, HttpServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():672, ApplicationDispatcher.java
doInclude():574, ApplicationDispatcher.java
include():499, ApplicationDispatcher.java
THIS IS A INCLUDING B
invoke():213, ServletPortletInvoker.java
render():125, ServletPortletInvoker.java
renderPortlet():119, PortletContainerImpl.java
renderPortlet():120, JetspeedPortletContainerWrapper.java
execute():120, RenderingJobImpl.java
renderNow():110, PortletRendererImpl.java
aggregateAndRender():199, PageAggregatorImpl.java
aggregateAndRender():182, PageAggregatorImpl.java
build():106, PageAggregatorImpl.java
invoke():48, AggregatorValve.java
invokeNext():166, JetspeedPipeline.java
invoke():132, ActionValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():76, ContainerValve.java
invokeNext():166, JetspeedPipeline.java
invoke():100, DecorationValve.java
invokeNext():166, JetspeedPipeline.java
invoke():179, ProfilerValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():143, LoginValidationValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():148, PasswordCredentialValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():168, LocalizationValveImpl.java
invokeNext():166, JetspeedPipeline.java
run():117, AbstractSecurityValve.java
doPrivileged():-1, AccessController.java
doAsPrivileged():437, Subject.java
invoke():111, AbstractSecurityValve.java
invokeNext():166, JetspeedPipeline.java
invoke():55, PortalURLValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():128, CapabilityValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():145, JetspeedPipeline.java
service():231, JetspeedEngine.java
THIS IS WEB APP A:
doGet():226, JetspeedServlet.java
service():595, HttpServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():672, ApplicationDispatcher.java
processRequest():463, ApplicationDispatcher.java
doForward():398, ApplicationDispatcher.java
forward():301, ApplicationDispatcher.java
doForward():693, PageContextImpl.java
forward():660, PageContextImpl.java
_jspService():16, index.jsp
service():97, HttpJspBase.java
service():688, HttpServlet.java
service():322, JspServletWrapper.java
serviceJspFile():314, JspServlet.java
service():264, JspServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():213, StandardWrapperValve.java
invoke():178, StandardContextValve.java
invoke():52, DefaultSubjectValve.java
invoke():432, AuthenticatorBase.java
invoke():262, GeronimoStandardContext.java
invoke():52, PolicyContextValve.java
invoke():53, TransactionContextValve.java
invoke():47, ComponentContextValve.java
invoke():60, InstanceContextValve.java
invoke():126, StandardHostValve.java
invoke():105, ErrorReportValve.java
invoke():107, StandardEngineValve.java
invoke():541, AccessLogValve.java
service():148, CoyoteAdapter.java
process():868, Http11Processor.java
processConnection():663, Http11BaseProtocol.java
processSocket():527, PoolTcpEndpoint.java
runIt():80, LeaderFollowerWorkerThread.java
run():684, ThreadPool.java
run():552, Thread.java
This demonstrates that cross context dispatch should not be used on geronimo-tomcat until this and related problems are fixed. Aside from the wrong security permissions being applied, the jndi context is wrong.