|
Mantis - Resin
|
|||||
| Viewing Issue Advanced Details | |||||
|
|
|||||
| ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
| 4621 | major | always | 06-16-11 11:52 | 06-17-11 11:25 | |
|
|
|||||
| Reporter: | dicr | Platform: | |||
| Assigned To: | ferg | OS: | |||
| Priority: | normal | OS Version: | |||
| Status: | closed | Product Version: | 4.0.19 | ||
| Product Build: | Resolution: | fixed | |||
| Projection: | none | ||||
| ETA: | none | Fixed in Version: | 4.0.20 | ||
|
|
|||||
| Summary: | 0004621: Can't assign user roles with JaasAuthenticator | ||||
| Description: |
I'm using JaasAuthenticator with my custom LoginModule, which add implementation of java.security.Principal as username and java.security.acl.Group with roles names to Subject as described here: http://stuffthathappens.com/blog/2008/05/16/writing-a-custom-jaas-loginmodule/ [^] This works great in JBoss and Tomcat. But Resin's isUserInRole always return false because of implementation JaasAuthenticator.java: if (principal instanceof RolePrincipal) return ((RolePrincipal) principal).isUserInRole(role); else return "user".equals(role); } So, Resin recognize only those principal as roles, which is instance of com.caucho.server.security.RolePrincipal. This is not correct and cause application to become Resin-dependent. The specification does not define which principles are roles, but the use of standard JAAS classes for code portability is always preferable, then to bind to a particular web-server. Please, consider to use standard java.security.acl.Group as roles descriptor instead of platform-dependent com.caucho.server.security.RolePrincipal. |
||||
| Steps To Reproduce: | |||||
| Additional Information: | |||||
| Relationships | |||||
| Attached Files: | |||||
| Notes | |||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||