Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
QPID-7549 exposed a defect that HTTP threads are not always carrying a Subject.
- We should ensure that HTTP threads always carry a Subject. If the user is not yet authenticated, this will simple be a Subject containing a ManagementConnectionPrincipal. If think this is best done once in a filter, towards the front of the filter chain. The management thread, working on behalf of the user must also ensure that the task executor subject is not inherited,.
- Is there a reason why AuthenticationResultCacher should not consider all SocketConnectionPrincipal rather than just ConnectionPrincipal. I realise that if Qpid were to be behind a web proxy, then there would be not uniqueness added (as the end point would be same), but the same argument could be made about AMQP if it were using a AMQP proxy.
- I think the responsibilities for preemptive authentication and possibly sasl authentication should be refactored into filters. I think the current code is hard to follow (separate JIRA).
The simply fix for qpid-java-6.1.x will be carried out under QPID-7549.
Attachments
Issue Links
- relates to
-
QPID-7549 [Java Broker] Authentication using SimpleLDAP authentication provider fails with NPE when caching of authentication results is enabled(by default)
- Closed