Uploaded image for project: 'OpenEJB'
  1. OpenEJB
  2. OPENEJB-984

TomcatSecurityService and unauthenticated user roles

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 3.1
    • Fix Version/s: None
    • Component/s: tomee
    • Labels:
      None
    • Environment:
      Linux x86_64, Java 6

      Description

      Currently, TomcatSecurityService is registered as SystemInstance's RoleResolver component.
      It overrides the AbstractSecurityService.getLogicalRoles() (which would grant a role with the same name as the principal name), and only interprets principals with it's own inner classes: TomcatUser and RunAsRole.
      Since the default user is not of either classes, it yields an empty set of roles.

      I see 2 possible solutions:

      • Add a way to customize which role should be granted to an unauthenticated user
      • Delegate to the default AbstractSecurityService when no roles are granted, like:

      public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
      // current implementation
      if (roles.isEmpty())

      { return super.getLogicalRoles(principals, logicalRoles); }

      }

      See http://www.nabble.com/Unauthenticated-principal-td21012809.html

        Attachments

          Activity

            People

            • Assignee:
              jlmonteiro Jean-Louis Monteiro
              Reporter:
              luisfpg Luis Fernando Planella Gonzalez
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: