portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randy Watler (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Resolved: (JS2-496) J2 on tomcat 5.5.15: 403 returned to client browser when any user that doesn't have admin role attempts to log in
Date Wed, 01 Mar 2006 09:07:50 GMT
     [ http://issues.apache.org/jira/browse/JS2-496?page=all ]
     
Randy Watler resolved JS2-496:
------------------------------

    Fix Version: 2.1-dev
     Resolution: Fixed
      Assign To: Randy Watler

JS2-496 fix - Support strict interpretation of authenticated role names in web.xml for tomcat
5.5.14+:

- the '*' role name in <auth-constraint> tags is interpreted as any role define in the
  webapp web.xml file, (not any role the application chooses to pass in the JAAS subject).

- test for authenticated user using psuedo role returned to container using JAAS subject:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login/redirector</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>portal-user</role-name>
    </auth-constraint>
  </security-constraint>

- portal user psuedo role name can be specified in security-atn.xml configuration.

- default portal user psuedo role name is 'portal-user'.

- user roles defined in J2 remain included in the subject for those that wish to use
  finer grain tests at the container level.

- this feature may be refined if container managed security is refactored to support
  J2EE style role usage patterns.


> J2 on tomcat 5.5.15: 403 returned to client browser when any user that doesn't have admin
role attempts to log in
> -----------------------------------------------------------------------------------------------------------------
>
>          Key: JS2-496
>          URL: http://issues.apache.org/jira/browse/JS2-496
>      Project: Jetspeed 2
>         Type: Bug
>   Components: Security
>     Versions: 2.0-FINAL
>  Environment: Tomcat 5.5.15 (JDK 1.5, Apache 2, Fedora Core 3)
>     Reporter: Aaron Evans
>     Assignee: Randy Watler
>      Fix For: 2.1-dev

>
> When J2 is deployed on tomcat 5.5.15, whenever any user that does not have the admin
role logs in, a 403 is returned for the URI /login/redirector.
> This does not occur on earlier releases of tomcat (5.5.9 for example).
> The user is in fact authenticated, for if you delete the /login/redirector from the URL
in the browser and refresh, then the main page of the portal is shown and the user is authenticated.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message