Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
3.1
-
None
-
None
-
Linux x86_64, Java 6
Description
Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with the same name as the principal name), and only interprets principals with it's own inner classes: TomcatUser and RunAsRole.
Since the default user is not of either classes, it yields an empty set of roles.
I see 2 possible solutions:
- Add a way to customize which role should be granted to an unauthenticated user
- Delegate to the default AbstractSecurityService when no roles are granted, like:
public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
// current implementation
if (roles.isEmpty())
}
See http://www.nabble.com/Unauthenticated-principal-td21012809.html