OpenEJB
  1. OpenEJB
  2. OPENEJB-1120

TomcatSecurityService should grant the guest role when no user is logged in

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.2
    • Fix Version/s: 3.1.3
    • Component/s: tomee
    • Labels:
      None
    • Environment:
      Linux 64 bits, Java 6u16

      Description

      The default SecurityService returns in getLogicalRoles the name of principals when the logical roles matches their names.
      TomcatSecurityService, however, overrides this method, interpreting his own principal classes: TomcatUser and RunAsRole, and does not follow the default behavior of SecurityService.
      It should interpret any principal, as SecurityService does, granting matching names for logical roles / principal.getName().
      There is an old mailing list thread which covers the subject: http://old.nabble.com/Unauthenticated-principal-td21012809.html

      1. TomcatSecurityService_DefaultRole.patch
        1.0 kB
        Luis Fernando Planella Gonzalez

        Activity

        Luis Fernando Planella Gonzalez created issue -
        Luis Fernando Planella Gonzalez made changes -
        Field Original Value New Value
        Description The default SecurityService returns in getLogicalRoles the name of principals when the logical roles matches their names.
        TomcatSecurityService, however, overrides this method, interpreting his own principal classes: TomcatUser and RunAsRole, and does not follow the default behavior of SecurityService.
        It should interpret any principal, as SecurityService does, granting matching names for logical roles / principal.getName().
        The default SecurityService returns in getLogicalRoles the name of principals when the logical roles matches their names.
        TomcatSecurityService, however, overrides this method, interpreting his own principal classes: TomcatUser and RunAsRole, and does not follow the default behavior of SecurityService.
        It should interpret any principal, as SecurityService does, granting matching names for logical roles / principal.getName().
        There is an old mailing list thread which covers the subject: http://old.nabble.com/Unauthenticated-principal-td21012809.html
        Hide
        Luis Fernando Planella Gonzalez added a comment -

        Patch to follow the same behavior as SecurityService when the principal is of an "unknown" type

        Show
        Luis Fernando Planella Gonzalez added a comment - Patch to follow the same behavior as SecurityService when the principal is of an "unknown" type
        Luis Fernando Planella Gonzalez made changes -
        Attachment TomcatSecurityService_DefaultRole.patch [ 12428194 ]
        Jean-Louis MONTEIRO made changes -
        Assignee Jean-Louis MONTEIRO [ jean-louis.monteiro@atosorigin.com ]
        Hide
        Jean-Louis MONTEIRO added a comment -

        Committed revision 893523.
        Thanks Luis!

        Show
        Jean-Louis MONTEIRO added a comment - Committed revision 893523. Thanks Luis!
        Jean-Louis MONTEIRO made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Fix Version/s 3.1.3 [ 12314215 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Jean-Louis MONTEIRO
            Reporter:
            Luis Fernando Planella Gonzalez
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development