[JBoss JIRA] Created: (JBWEB-137) Principal information used to check web security constraints should be read from Subject
9:11 a.m.
Principal information used to check web security constraints should be read from Subject
----------------------------------------------------------------------------------------
Key: JBWEB-137
URL: https://jira.jboss.org/jira/browse/JBWEB-137
Project: JBoss Web
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: Core
Affects Versions: JBossWeb-2.1.0.GA
Environment: RHEL, JDK6u12, JBossAS 5.0.1
Reporter: eugene75
Assignee: Remy Maucherat
Priority: Minor
The JBossGenericPrincipal instance constructed and cached by JBossWebRealm.authenticate()
creates a copy of Subject caller principal, roles, password. Therefore any modifications
to the subject during the user's session and not propagated to the
JBossGenericPrincipal. It would be preferable if the data returned by
JBossGenericPrincipal came directly from the Subject object itself.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:57 a.m.
New subject: [JBoss JIRA] Moved: (JBAS-7698) Principal information used to check web security constraints should be read from Subject
[
https://jira.jboss.org/jira/browse/JBAS-7698?page=com.atlassian.jira.plug...
]
Remy Maucherat moved JBWEB-137 to JBAS-7698:
--------------------------------------------
Project: JBoss Application Server (was: JBoss Web)
Key: JBAS-7698 (was: JBWEB-137)
Component/s: Security
(was: Core)
Affects Version/s: (was: JBossWeb-2.1.0.GA)
Principal information used to check web security constraints should
be read from Subject
----------------------------------------------------------------------------------------
Key: JBAS-7698
URL: https://jira.jboss.org/jira/browse/JBAS-7698
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Security
Environment: RHEL, JDK6u12, JBossAS 5.0.1
Reporter: eugene75
Assignee: Remy Maucherat
Priority: Minor
The JBossGenericPrincipal instance constructed and cached by JBossWebRealm.authenticate()
creates a copy of Subject caller principal, roles, password. Therefore any modifications
to the subject during the user's session and not propagated to the
JBossGenericPrincipal. It would be preferable if the data returned by
JBossGenericPrincipal came directly from the Subject object itself.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:57 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-7698) Principal information used to check web security constraints should be read from Subject
[
https://jira.jboss.org/jira/browse/JBAS-7698?page=com.atlassian.jira.plug...
]
Remy Maucherat updated JBAS-7698:
---------------------------------
Affects Version/s: JBossAS-5.1.0.GA
Assignee: Anil Saldhana (was: Remy Maucherat)
The subject is a fairly arbitrary construct, and I doubt it is a good idea to support
mutating security information anyway. Reassigning so that it gets reviwed.
Principal information used to check web security constraints should
be read from Subject
----------------------------------------------------------------------------------------
Key: JBAS-7698
URL: https://jira.jboss.org/jira/browse/JBAS-7698
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: RHEL, JDK6u12, JBossAS 5.0.1
Reporter: eugene75
Assignee: Anil Saldhana
Priority: Minor
The JBossGenericPrincipal instance constructed and cached by JBossWebRealm.authenticate()
creates a copy of Subject caller principal, roles, password. Therefore any modifications
to the subject during the user's session and not propagated to the
JBossGenericPrincipal. It would be preferable if the data returned by
JBossGenericPrincipal came directly from the Subject object itself.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5453
days inactive
5744
days old
2 comments
2 participants
participants (2)
-
eugene75 (JIRA) -
Remy Maucherat (JIRA)